buttonTrust
 
Commands
  Search pubs

Quick search by ...
Year
  2011
2010
2009
2008
2007
2006
2005
2004
2002

Group
  aftrust
aftrustfaculty
deab
eab
eduboard
education
euus
execboard
financial
gig
government
health
healthcare
hsn
hsnresearch
hsnucb
iab
iacb
icast
icastucb
idtheft
industry
knowledgetransfer
languages
netdefenses
patientmonitor
pdfellowship
physical
policy
reu
reu11gold
reu2009
reu2010
reu2011
scada
securit
securit2007
sensornets
sensorprivacy
sitevisit
superb
superb2008
telecomitalia
trust
trustadmin
trustfaculty
trustlocal
trustseminar
trustworthy
university
wise2006
JavaScript Heap Analysis: From Exploiting Browsers to Building Safe JavaScript Subsets
Joel Weinberger

Citation
Joel Weinberger. "JavaScript Heap Analysis: From Exploiting Browsers to Building Safe JavaScript Subsets". Talk or presentation, 30, November, 2009.

Abstract
Many JavaScript security issues revolve around the delicacy of the same-origin policy. The basic concern is that information from one origin should not leak to another. We develop a technique that uses JavaScript heap analysis to analyze the behavior of different origins on the heap and identify a new class of vulnerabilities which we call “cross-origin JavaScript capability leaks”. We discover several instances of these vulnerabilities and propose a solution to mitigate them in web browsers. Additionally, we use these techniques to identify problems in safe JavaScript subsets. In particular, we discuss ADsafe and several problems identified with it and propose an alternative safe JavaScript subset with the same properties but more security guarantees.

Electronic downloads

Citation formats  
  • HTML 
    Joel Weinberger. <a
href="http://www.truststc.org/pubs/642.html"
><i>JavaScript Heap Analysis: From Exploiting
Browsers to Building Safe JavaScript
Subsets</i></a>, Talk or presentation,  30,
November, 2009.
  • Plain text 
    Joel Weinberger. "JavaScript Heap Analysis: From
Exploiting Browsers to Building Safe JavaScript
Subsets". Talk or presentation,  30, November, 2009.
  • BibTeX 
    @presentation{Weinberger09_JavaScriptHeapAnalysisFromExploitingBrowsersToBuilding,
    author = {Joel Weinberger},
    title = {JavaScript Heap Analysis: From Exploiting Browsers
              to Building Safe JavaScript Subsets},
    day = {30},
    month = {November},
    year = {2009},
    abstract = {Many JavaScript security issues revolve around the
              delicacy of the same-origin policy. The basic
              concern is that information from one origin should
              not leak to another. We develop a technique that
              uses JavaScript heap analysis to analyze the
              behavior of different origins on the heap and
              identify a new class of vulnerabilities which we
              call âcross-origin JavaScript capability
              leaksâ. We discover several instances of these
              vulnerabilities and propose a solution to mitigate
              them in web browsers. Additionally, we use these
              techniques to identify problems in safe JavaScript
              subsets. In particular, we discuss ADsafe and
              several problems identified with it and propose an
              alternative safe JavaScript subset with the same
              properties but more security guarantees.},
    URL = {http://www.truststc.org/pubs/642.html}
}

Posted by Larry Rohrbough on 5 Nov 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org..

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.
You are not logged in 
© 2005-2012 Trust