Language-Based Defenses Against Untrusted Browser Origins

Abstract : We present new attacks and robust countermeasures for security-sensitive components, such as single sign-on APIs and client-side cryptographic libraries, that need to be safely deployed on untrusted web pages. We show how failing to isolate such components leaves them vulnerable to attacks both from the hosting website and other components running on the same page. These attacks are not prevented by browser security mechanisms alone, because they are caused by code interact- ing within the same origin. To mitigate these attacks, we propose to combine fine-grained component isola- tion at the JavaScript level with cryptographic mechanisms. We present Defensive JavaScript (DJS), a subset of the language that guarantees the behavior integrity of scripts even when loaded in a hostile environment. We give a sound type system, type inference tool, and build defensive libraries for cryptography and data encodings. We show the effectiveness of our solution by implement- ing several applications using defensive patterns that fix some of our original attacks. We present a model extraction tool to analyze the security properties of our applications using a cryptographic protocol verifier.
Type de document :
Communication dans un congrès
Proceedings of the 22th USENIX Security Symposium, Aug 2013, Washington, D.C., United States. 2013
Liste complète des métadonnées

Littérature citée [42 références]  Voir  Masquer  Télécharger
Contributeur : Ben Smyth <>
Soumis le : lundi 4 avril 2016 - 14:49:44
Dernière modification le : vendredi 25 mai 2018 - 12:02:06
Document(s) archivé(s) le : lundi 14 novembre 2016 - 15:57:07


Fichiers produits par l'(les) auteur(s)


  • HAL Id : hal-00863372, version 1



Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Sergio Maffeis. Language-Based Defenses Against Untrusted Browser Origins. Proceedings of the 22th USENIX Security Symposium, Aug 2013, Washington, D.C., United States. 2013. 〈hal-00863372〉



Consultations de la notice


Téléchargements de fichiers