Visible to the public GUARDIA: Specification and Enforcement of Javascript Security Policies Without VM Modifications

Submitted by aekwall on Mon, 06/17/2019 - 9:20am
TitleGUARDIA: Specification and Enforcement of Javascript Security Policies Without VM Modifications
Publication TypeConference Paper
Year of Publication2018
AuthorsPupo, Angel Luis Scull, Nicolay, Jens, Boix, Elisa Gonzalez
Conference NameProceedings of the 15th International Conference on Managed Languages & Runtimes
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-6424-9
KeywordsDSL, JavaScript, language design, policy-based governance, pubcrawl, reflection, runtime enforcement, security policies, security policy, web security
AbstractThe complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply them correctly and they can be bypassed. As a result, they need to be completed by application-level security policies. In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead.
URLhttp://doi.acm.org/10.1145/3237009.3237025
DOI10.1145/3237009.3237025
Citation Keypupo_guardia:_2018
Groups: