Defensive JavaScript - Building and Verifying Secure Web Components

Defensive JavaScript (DJS) is a typed subset of JavaScript that guarantees that the functional behavior of a program cannot be tampered with even if it is loaded by and executed within a malicious environment under the control of the attacker. As such, DJS is ideal for writing JavaScript security components, such as bookmarklets, single sign-on widgets, and cryptographic libraries, that may be loaded within untrusted web pages alongside unknown scripts from arbitrary third parties. We present a tutorial of the DJS language along with motivations for its design. We show how to program security components in DJS, how to verify their defensiveness using the DJS typechecker, and how to analyze their security properties automatically using ProVerif.

[1]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[2]  Juan Chen,et al.  Gradual typing embedded securely in JavaScript , 2014, POPL.

[3]  Dawn Xiaodong Song,et al.  Privilege Separation in HTML5 Applications , 2012, USENIX Security Symposium.

[4]  Karthikeyan Bhargavan,et al.  Web-based Attacks on Host-Proof Encrypted Storage , 2012, WOOT.

[5]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[6]  Dan Boneh,et al.  Symmetric Cryptography in Javascript , 2009, 2009 Annual Computer Security Applications Conference.

[7]  Ben Smyth,et al.  ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial , 2011 .

[8]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Robin Milner,et al.  Functions as processes , 1990, Mathematical Structures in Computer Science.

[10]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[11]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[12]  Karthikeyan Bhargavan,et al.  Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage , 2013, POST.

[13]  Collin Jackson,et al.  Rootkits for JavaScript Environments , 2009, WOOT.

[14]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[15]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[16]  Ralf Küsters,et al.  An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System , 2014, 2014 IEEE Symposium on Security and Privacy.

[17]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[18]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[19]  Dawn Xiaodong Song,et al.  Data-Confined HTML5 Applications , 2013, ESORICS.

[20]  Mark Ryan,et al.  Privacy Supporting Cloud Computing: ConfiChair, a Case Study , 2012, POST.

[21]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[22]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Karthikeyan Bhargavan,et al.  Language-based Defenses Against Untrusted Browser Origins , 2013, USENIX Security Symposium.

[24]  Alfredo Pironti,et al.  JavaSPI: A Framework for Security Protocol Implementation , 2011, Int. J. Secur. Softw. Eng..