Towards Fine-Grained Access Control in JavaScript Contexts
A typical Web 2.0 application usually includes JavaScript from various sources with different trust. It is critical to properly regulate JavaScript's access to web application resources. Unfortunately, existing protection mechanisms in web browsers do not provide enough granularity in JavaScrip...
Saved in:
| Published in: | 2011 31st International Conference on Distributed Computing Systems pp. 720 - 729 |
|---|---|
| Main Authors: | , , , , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
01-06-2011
|
| Subjects: | |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | A typical Web 2.0 application usually includes JavaScript from various sources with different trust. It is critical to properly regulate JavaScript's access to web application resources. Unfortunately, existing protection mechanisms in web browsers do not provide enough granularity in JavaScript access control. Specifically, existing solutions partially mitigate this sort of threat by only providing access control for certain types of JavaScript objects, or by unnecessarily restricting the functionality of untrusted JavaScript. In this paper, we systematically analyze the complete access control requirements in a web browser's JavaScript environment and identify the fundamental lack of fine-grained JavaScript access control mechanisms in modern web browsers. As our solution, we propose a reference monitor called JCShadow that enables fine-grained access control in JavaScript contexts without unnecessarily restricting the functionality of JavaScript. We have developed a proof-of-concept prototype in the Mozilla Firefox browser and the evaluation with real-world attacks indicates that JCShadow effectively prevents such attacks with low performance overhead. |
|---|---|
| ISBN: | 1612843840 9781612843841 |
| ISSN: | 1063-6927 2575-8411 |
| DOI: | 10.1109/ICDCS.2011.87 |