Embedding of Security Components in Untrusted Third-Party Websites

Abstract : Security-sensitive components, such as single sign-on APIs, need to be safely deployed on untrusted webpages. We present several new attacks on security components used in popular web applications that demonstrate how failing to isolate such components leaves them vulnerable to attacks both from the hosting website and other components loaded on the same page. These attacks are not prevented by browser security mechanisms alone, because they are caused by code interacting within the same origin. To mitigate these attacks, we propose to combine fine-grained component isolation at the JavaScript level with cryptographic mechanisms. We present Defensive JavaScript (DJS), a subset of the language that guarantees the behavioral integrity of trusted scripts loaded in an untrusted page. We give a sound type system, type inference tool and build defensive libraries for cryptography and data encodings. We show the effectiveness of our solution by implementing several isolation patterns that fix some of our original attacks. We use a translation of a fragment of DJS to to applied pi-calculus to verify concrete security policies of critical components against various classes of web attackers.
Document type :
Reports
Liste complète des métadonnées

Cited literature [31 references]  Display  Hide  Download

https://hal.inria.fr/hal-00815800
Contributor : Antoine Delignat-Lavaud <>
Submitted on : Friday, April 19, 2013 - 1:37:23 PM
Last modification on : Friday, May 25, 2018 - 12:02:06 PM
Document(s) archivé(s) le : Saturday, July 20, 2013 - 4:02:24 AM

File

tech.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-00815800, version 1

Collections

Citation

Antoine Delignat-Lavaud, Karthikeyan Bhargavan, Sergio Maffeis. Embedding of Security Components in Untrusted Third-Party Websites. [Research Report] RR-8285, INRIA. 2013, pp.32. ⟨hal-00815800⟩

Share

Metrics

Record views

386

Files downloads

941