JSLocker: flexible access control policies with delimited histories and revocation
SREIS '11 Proceedings of the 12th Annual Information Security Symposium(2011)
摘要
Providing security guarantees for software systems built out of untrusted components requires the ability to enforce fine-grained access control policies. This is evident in Web 2.0 applications where JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. This paper presents a security infrastructure which allows users and content providers to specify access control policies over delimited histories, subsets of JavaScript execution traces, allowing revocation of the history, and reversion to a safe state if a violation is detected. We report on an empirical evaluation of this proposal in the context of a production browser. We show examples of security policies which can prevent real attacks without imposing drastic restrictions on legacy applications. We have evaluated our proposal with two non-trivial policies on 50 of the Alexa top websites with no changes to the legacy JavaScript code. Between 72% and 84% of the sites were fully functional, and only 1 site was rendered non-functional. In term of performance overhead we observed a worst case 106% slowdown with a typical case closer to 10%.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要