STATIC VERIFICATION OF DYNAMIC SECURITY POLICIES

Scriptie/masterproef: Master's Thesis

Uittreksel

Today the web is composed of mashups which are web applications build from multiple resources. The inclusion mechanism proposed by the browser to in- clude third-party JavaScript resources within mashups is inflexible. Every imported resource receives the same privilege as the code of the host applica- tion itself. As a consequence, imported resources have access to sensitive in- formation and security-relevant browser’s APIs, which can be used to exploit vulnerabilities to perform attacks. In an attempt to protect against these attacks, browsers have multiple built-in security policies. Unfortunately, browser-level security policies can be bypassed and contain multiple flaws, which leaves the browser environment insecure. This is why application-level security policies are required.
The JavaScript security literature contains a plentitude of frameworks to enforce or verify application-level security policies. Dynamic frameworks that employ runtime policy enforcement without requiring runtime modifications have the advantage of being portable and precise. But, this type of enforce- ment mechanism implies a runtime overhead and is limited by browser-level security policies. On the other hand, static policy verification frameworks do not introduce runtime overhead and are not limited by browser-level security policies. These frameworks, however, work with a finite program representa- tion, which results in precision loss and creates false positives.
This dissertation presents an approach to statically verify dynamic security policies and combine static verification with runtime enforcement. The resulting hybrid approach makes it possible to specify security policies, verify these policies statically over an abstract program representation, and only enforce at runtime those policies which could not be verified statically. The hybrid approach therefore combines the advantages of both static and dynamic approaches.
Datum Prijs30 jun 2017
TaalEnglish
BegeleiderCoen De Roover (Promotor), Elisa Gonzalez Boix (Promotor), Jens Nicolay (Advisor) & Angel Luis Scull Pupo (Advisor)

Keywords

  • JavaScript
  • program analysis
  • static analysis
  • Security
  • Programming Languages
  • access control

Citeer dit

'