Abstract

Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of a JavaScript program by leveraging the concept of delimited histories with revocation. We implement our proposal in WebKit and evaluate it with three policies on 50 widely used websites with no changes to their JavaScript code and report performance overheads and violations.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
Flexible access control for javascript
Gregor Richards ... Jan Vitek
-
Gregor Richards, et. al.Gregor Richards ... Jan Vitek
29 Oct 2013
Practical and efficient cryptographic enforcement of interval-based access control policies
Jason Crampton
ACM Transactions on Information and System Security | VOL. 14
Jason CramptonJason Crampton
01 May 2011
Trusted Administration of Large-Scale Cryptographic Role-Based Access Control Systems
Lan Zhou ... Michael Hitchens
-
Lan Zhou, et. al.Lan Zhou ... Michael Hitchens
01 Jun 2012
A Rigorous Framework for Specification, Analysis and Enforcement of Access Control Policies
Andrea Margheri ... Francesco Tiezzi
IEEE Transactions on Software Engineering | VOL. 45
Andrea Margheri, et. al.Andrea Margheri ... Francesco Tiezzi
01 Jan 2019
View more papers

More From: ACM SIGPLAN Notices

Paper Title
Journal
Date
Author
Regenerate: a language generator for extended regular expressions
Gabriel Radanne ... Peter Thiemann
ACM SIGPLAN Notices | VOL. 53
Gabriel Radanne, et. al.Gabriel Radanne ... Peter Thiemann
07 Apr 2020
Implementing a semi-causal domain-specific language for context detection over binary sensors
Nic Volanschi ... Charles Consel
ACM SIGPLAN Notices | VOL. 53
Nic Volanschi, et. al.Nic Volanschi ... Charles Consel
07 Apr 2020
Orchestrating dynamic analyses of distributed processes for full-stack JavaScript programs
Laurent Christophe ... Coen De Roover
ACM SIGPLAN Notices | VOL. 53
Laurent Christophe, et. al.Laurent Christophe ... Coen De Roover
07 Apr 2020
Model-based security analysis of feature-oriented software product lines
Sven Peldszus ... Jan Jürjens
ACM SIGPLAN Notices | VOL. 53
Sven Peldszus, et. al.Sven Peldszus ... Jan Jürjens
07 Apr 2020
View more papers

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.