Visible to the public Biblio

Filters: Author is Boix, Elisa Gonzalez  [Clear All Filters]
2019-06-17
Pupo, Angel Luis Scull, Nicolay, Jens, Boix, Elisa Gonzalez.  2018.  GUARDIA: Specification and Enforcement of Javascript Security Policies Without VM Modifications. Proceedings of the 15th International Conference on Managed Languages & Runtimes. :17:1–17:15.
The complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply them correctly and they can be bypassed. As a result, they need to be completed by application-level security policies. In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead.