Survey on JavaScript security policies and their enforcement mechanisms in a web browser

Abstract We observe a rapid growth of web-based applications every day. These applications are executed in the web browser, where they interact with a variety of information belonging to the user. The dynamism of web applications is provided by the use of web scripts, and in particular JavaScript, that accesses this information through a browser-provided set of APIs. Unfortunately, some of the scripts use the given functionality in malicious ways. Over the last decade, a substantial number of web-based attacks that violate userʼs privacy and security have been detected. For this reason, web script security has been an active area of research. Both computer security researchers and web developers have proposed a number of techniques to enforce different security and privacy policies in the web browser. Among all the works on web browser security, we survey dynamic techniques based on runtime monitoring as well as secure information flow techniques. We then combine and compare the security and privacy policies they enforce, and the way the enforcement is done. We target two groups of readers: 1) for computer security researchers we propose an overview of security-relevant components of the web browser and the security policies based on these components, we also show how well-known enforcement techniques are applied in a web browser setting; 2) for web developers we propose a classification of security policies, comparison of existing enforcement mechanisms proposed in the literature and explanation of formal guarantees that they provide.

[1]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[2]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[4]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[5]  Frank Piessens,et al.  A security analysis of next generation web standards , 2011 .

[6]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[7]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[8]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[10]  Wouter Joosen,et al.  SessionShield: Lightweight Protection against Session Hijacking , 2011, ESSoS.

[11]  Artur Janc,et al.  Feasibility and Real-World Implications of Web Browser History Detection , 2010 .

[12]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[13]  Tamara Rezk,et al.  Mashic Compiler: Mashup Sandboxing Based on Inter-frame Communication , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[14]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[15]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[16]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[17]  Samuel T. King,et al.  Fortifying web-based applications automatically , 2011, CCS '11.

[18]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[19]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[20]  Martin Johns,et al.  On JavaScript Malware and related threats , 2008, Journal in Computer Virology.

[21]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[22]  Yliès Falcone,et al.  You Should Better Enforce Than Verify , 2010, RV.

[23]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[24]  Dominique Devriese,et al.  Better Security and Privacy for Web Browsers: A Survey of Techniques, and a New Implementation , 2011, Formal Aspects in Security and Trust.

[25]  Steve Zdancewic,et al.  A Type System for Robust Declassification , 2003, MFPS.

[26]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[27]  Monica S. Lam,et al.  Using Datalog with Binary Decision Diagrams for Program Analysis , 2005, APLAS.

[28]  Salvatore Guarnieri GULFSTREAM: Staged Static Analysis for Streaming JavaScript Applications , 2010, WebApps.

[29]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[30]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[31]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[32]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[33]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[34]  Lukasz Olejnik,et al.  Web Browser History Detection as a Real-World Privacy Threat , 2010, ESORICS.

[35]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[36]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[37]  Gurvan Le Guernic Confidentiality Enforcement Using Dynamic Information Flow Analyses , 2007 .

[38]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[39]  Ankur Taly,et al.  Isolating JavaScript with Filters, Rewriting, and Wrappers , 2009, ESORICS.

[40]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[41]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[42]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[43]  Michal Zalewski The Tangled Web: A Guide to Securing Modern Web Applications , 2011 .

[44]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.

[45]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[46]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[47]  Wouter Joosen,et al.  Exploring the Ecosystem of Referrer-Anonymizing Services , 2012, Privacy Enhancing Technologies.

[48]  Hiroshi Inamura,et al.  JavaScript Instrumentation in Practice , 2008, APLAS.

[49]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[50]  Wouter Joosen,et al.  Security of Web Mashups: A Survey , 2010, NordSec.

[51]  Zhou Li,et al.  Mash-IF: Practical information-flow control within client-side mashups , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[52]  Duminda Wijesekera,et al.  Status-Based Access Control , 2008, TSEC.

[53]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[54]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[55]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[56]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[57]  Wouter Joosen,et al.  WebJail: least-privilege integration of third-party components in web mashups , 2011, ACSAC '11.

[58]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[59]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[60]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[61]  Tzilla Elrad,et al.  Aspect-oriented programming: Introduction , 2001, CACM.