A Domain-specific Language for Expressing Security Policies in JavaScript

Scriptie/masterproef: Master's Thesis


Web applications used to simply fetch content from web servers and display those in simple HTML documents. However, nowadays they transitioned into rich Inter- net applications that combine code from different sources. This transition created a need for different more fine-grained tools for securing those applications. The current security mechanisms mostly operate at browser level, those have been found to coarse grained to keep up with the rapid changing web applications development techniques. This results in web applications with a lot of vulnerabilities undermining the security of web applications.
After analyzing the different vulnerabilities we introduce SDSL, an internal domain-specific language for expressing security policies in JavaScript on the ob- ject level. The developer is provided with built-in components to express a wide range of stateful as well as stateless access control policies. This enables the developers to limit access to methods and properties in a fine-grained problem specific manner. The enforcement mechanism of SDSL relies on meta-level engi- neering facilities of JavaScript, namely, proxies. Proxies allow us to intercept and modify the different calls to an object.
The domain-specific language was validated in two ways, first by express- ing multiple security policies and comparing them to the state of the art libraries. Second we also employed SDSL in an existing application containing vulnera- bilities while not changing the basic architecture of the application. This shows that SDSL allows developers to create security policies to protect objects both on client-side as well as on server-side.
Datum Prijs5 sep 2016
BegeleiderElisa Gonzalez Boix (Promotor) & Angel Luis Scull Pupo (Advisor)

Citeer dit