Survey on JavaScript Security Policies and their Enforcement Mechanisms in a Web Browser

Nataliia Bielova 1
1 CELTIQUE - Software certification with semantic analysis
IRISA-D4 - LANGAGE ET GÉNIE LOGICIEL, Inria Rennes – Bretagne Atlantique
Abstract : We observe a rapid growth of web-based applications every day. These applications are executed in the web browser, where they interact with a variety of information belonging to the user. The dynamism of web applications is provided by the use of web scripts, and in particular JavaScript, that accesses this information through a browser- provided set of APIs. Unfortunately, some of the scripts use the given functionality in malicious ways. Over the last decade, a substantial number of web-based attacks that violate user's privacy and security have been detected. For this reason, web script security has been an active area of research. Both computer security researchers and web developers have proposed a number of techniques to enforce different security and privacy policies in the web browser. Among all the works on web browser security, we survey dynamic techniques based on runtime monitoring as well as secure information flow techniques. We then combine and compare the security and privacy policies they enforce, and the way the enforcement is done. We target two groups of readers: 1) for computer security researchers we propose an overview of security-relevant components of the web browser and the security policies based on these components, we also show how well-known enforcement techniques are applied in a web browser setting; 2) for web developers we propose a classification of security policies, comparison of existing enforcement mechanisms proposed in the literature and explanation of formal guarantees that they provide.
Type de document :
Article dans une revue
Journal of Logic and Algebraic Programming, Elsevier, 2013, Automated Specification and Verification of Web Systems, 82 (8), pp.243-262. 〈10.1016/j.jlap.2013.05.001〉
Liste complète des métadonnées

https://hal.inria.fr/hal-00932730
Contributeur : Nataliia Bielova <>
Soumis le : vendredi 17 janvier 2014 - 15:37:38
Dernière modification le : jeudi 22 février 2018 - 01:24:47

Identifiants

Collections

Citation

Nataliia Bielova. Survey on JavaScript Security Policies and their Enforcement Mechanisms in a Web Browser. Journal of Logic and Algebraic Programming, Elsevier, 2013, Automated Specification and Verification of Web Systems, 82 (8), pp.243-262. 〈10.1016/j.jlap.2013.05.001〉. 〈hal-00932730〉

Partager

Métriques

Consultations de la notice

221