Automated Analysis of Security-Critical JavaScript APIs

Taly, Ankur; Erlingsson, Úlfar; Mitchell, John C.; Miller, Mark S.; Nagra, Jasvir

doi:10.1109/sp.2011.39

Cited by 83 publications

(58 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They found several new bugs in the implementation of AdSafe, a web sandbox by Yahoo. Concurrent with AdSafety, Taly et al [33] also studies JavaScript reference monitors and devises a restricted version of the JavaScript language. They then develop a tool that can soundly prove that an API cannot be circumvented or subverted, hence ensuring the robustness of sandbox protection.…”

Section: Protectionmentioning

confidence: 99%

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tran

Dong

Liang

et al. 2012

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. JavaScript-based applications are very popular on the web today. However, the lack of effective protection makes various kinds of privacy violation attack possible, including cookie stealing, history sniffing and behavior tracking. There have been studies of the prevalence of such attacks, but the dynamic nature of the JavaScript language makes reasoning about the information flows in a web application a challenging task. Previous small-scale studies do not present a complete picture of privacy violations of today's web, especially in the context of Internet advertisements and web analytics. In this paper we present a novel, fast and scalable architecture to address the shortcomings of previous work. Specifically, we have developed a novel technique called principal-based tainting that allows us to perform dynamic analysis of JavaScript execution with lowered performance overhead. We have crawled and measured more than one million websites. Our findings show that privacy attacks are more prevalent and serious than previously known.

show abstract

Section: Protectionmentioning

confidence: 99%

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tran

Dong

Liang

et al. 2012

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

“…For instance, SES [43], one promising approach with solid theoretical foundations, can now be implemented in about 200 lines of JavaScript. Though SES is not compatible with popular JavaScript libraries such as jQuery, this may well change.…”

Section: Discussion and Limitationsmentioning

confidence: 99%

Hails: Protecting data privacy in untrusted web applications

Giffin

Levy

Stefan

et al. 2017

JCS

View full text Add to dashboard Cite

Modern extensible web platforms like Facebook and Yammer depend on third-party software to offer a rich experience to their users. Unfortunately, users running a third-party "app" have little control over what it does with their private data. Today's platforms offer only ad-hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new web framework, Hails, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.

show abstract

“…More recent work has used Proverif to model the properties of so-called "safe" cloud storage providers via the Web [4], verifying subsets of Javascript [39], and interactive proofs of security properties of Web applications [30]. However, none of these previous works were aimed at the Web Cryptography API.…”

Section: Formal Modeling Literature Reviewmentioning

confidence: 99%

Security Analysis of the W3C Web Cryptography API

Cairns

Halpin

Steel

2016

Security Standardisation Research

View full text Add to dashboard Cite

Abstract. Due to the success of formal modeling of protocols such as TLS, there is a revival of interest in applying formal modeling to standardized APIs. We argue that formal modeling should happen as the standard is being developed (not afterwards) as it can detect complex or even simple attacks that the standardization group may not otherwise detect. As a case example of this, we discuss in detail the W3C Web Cryptography API. We demonstrate how a formal analysis of the API using the modeling language AVISPA with a SAT solver demonstrates that while the API has no errors in basic API operations and maintains its security properties for the most part, there are nonetheless attacks on secret key material due to how key wrapping and usages are implemented. Furthermore, there were a number of basic problems in terms of algorithm selection and a weakness that led to a padding attack. The results of this study led to the removal of algorithms before its completed standardization and the removal of the padding attack via normalization of error codes, although the key wrapping attack is still open. We expect this sort of formal methodology to be applied to new standardization efforts at the W3C such as the W3C Web Authentication API.

show abstract

Automated Analysis of Security-Critical JavaScript APIs

Cited by 83 publications

References 32 publications

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Hails: Protecting data privacy in untrusted web applications

Security Analysis of the W3C Web Cryptography API

Contact Info

Product

Resources

About