GUARDIA: specification and enforcement of javascript security policies without VM modifications
Autor: | Jens Nicolay, Elisa Gonzalez Boix, Angel Luis Scull Pupo |
---|---|
Přispěvatelé: | Informatics and Applied Informatics, Faculty of Sciences and Bioengineering Sciences, Software Languages Lab |
Jazyk: | angličtina |
Rok vydání: | 2018 |
Předmět: |
JavaScript
Reflection (computer programming) Computer science Computer Networks and Communications Security policy Overhead (engineering) Access control Reflection 0102 computer and information sciences 02 engineering and technology web security Internet security Computer security computer.software_genre 01 natural sciences DSL Runtime Enforcement human-computer interaction 0202 electrical engineering electronic engineering information engineering Web application computer.programming_language business.industry 020207 software engineering Transparency (human–computer interaction) Language Design 010201 computation theory & mathematics Computer Vision and Pattern Recognition business computer Software |
Zdroj: | ManLang |
Popis: | The complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply them correctly and they can be bypassed. As a result, they need to be completed by application-level security policies. In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead. |
Databáze: | OpenAIRE |
Externí odkaz: |