Projects per year
Abstract
The complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply them correctly and they can be bypassed. As a result, they need to be completed by application-level security policies.
In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead.
In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead.
Original language | English |
---|---|
Title of host publication | Proceedings of the 15th International Conference on Managed Languages & Runtimes |
Publisher | Association for Computing Machinery (ACM) |
Number of pages | 15 |
ISBN (Electronic) | 978-1-4503-6424-9 |
DOIs | |
Publication status | Published - 12 Sep 2018 |
Event | 15th International Conference on Managed Languages & Runtimes - Johannes Kepler University Linz, Linz, Austria Duration: 11 Sep 2018 → 13 Sep 2018 http://ssw.jku.at/manlang18/ |
Conference
Conference | 15th International Conference on Managed Languages & Runtimes |
---|---|
Abbreviated title | ManLang '18 |
Country/Territory | Austria |
City | Linz |
Period | 11/09/18 → 13/09/18 |
Internet address |
Keywords
- DSL
- JavaScript
- Language design
- Reflection
- Runtime Enforcement
- Security Policy
- Web Security
Projects
- 1 Finished
-
BRGIMP4: SECLOUD - Innoviris BRIDGE 2014
De Hert, P., Nowe, A., Gonzalez Boix, E. & De Roover, C.
1/09/15 → 31/08/18
Project: Applied