GUARDIA: specification and enforcement of javascript security policies without VM modifications

Research output: Chapter in Book/Report/Conference proceedingConference paper

3 Citations (Scopus)
194 Downloads (Pure)

Abstract

The complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply them correctly and they can be bypassed. As a result, they need to be completed by application-level security policies.

In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead.
Original languageEnglish
Title of host publicationProceedings of the 15th International Conference on Managed Languages & Runtimes
PublisherAssociation for Computing Machinery (ACM)
Number of pages15
ISBN (Electronic)978-1-4503-6424-9
DOIs
Publication statusPublished - 12 Sep 2018
Event15th International Conference on Managed Languages & Runtimes - Johannes Kepler University Linz, Linz, Austria
Duration: 11 Sep 201813 Sep 2018
http://ssw.jku.at/manlang18/

Conference

Conference15th International Conference on Managed Languages & Runtimes
Abbreviated titleManLang '18
Country/TerritoryAustria
CityLinz
Period11/09/1813/09/18
Internet address

Keywords

  • DSL
  • JavaScript
  • Language design
  • Reflection
  • Runtime Enforcement
  • Security Policy
  • Web Security

Cite this