Tamper-proof security mechanism against liar objects in JavaScript applications

Onderzoeksoutput: Unpublished abstract

Samenvatting

Many approaches has been proposed to dynamically secure client side web applications allowing developers to express they security policies using some sort of policy language. Those security policies are usually expressed in JavaScript, which has some features like the dynamic type coercion that allow an attacker to bypass those security mechanisms. This has been addressed by giving the developer the option of specifying “inspection types” during the policy declaration. Those inspection types are used to safely coerce the values used during the enforcement and afterwards. However, those mechanism are mostly limited to primitive types and require carefully design of the policy and its inspection types.

We propose the extension of a policy declaration and enforcement mechanism by constructing a coercion model for all the language built-ins. Then, the model is used to safely coerce all the operands or arguments used by the built-ins operations during the policy enforcement and afterwards removing the need of inspection types.
Originele taal-2English
StatusUnpublished - 23 mrt 2020
EvenementProgramming: The International Conference on the Art, Science and Engineering of Programming - Porto, Portugal
Duur: 25 mrt 202026 mrt 2020

Conference

ConferenceProgramming: The International Conference on the Art, Science and Engineering of Programming
Verkorte titelProgramming
LandPortugal
StadPorto
Periode25/03/2026/03/20

Vingerafdruk Duik in de onderzoeksthema's van 'Tamper-proof security mechanism against liar objects in JavaScript applications'. Samen vormen ze een unieke vingerafdruk.

Citeer dit