• Documents
  • Authors
  • Tables
  • Algorithms
  • Log in
  • Sign up
  • MetaCart

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations | Disambiguate

Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense

Cached

  • Download as a PDF

Download Links

  • [www.adambarth.com]
  • [www.adambarth.org]
  • [www.usenix.org]
  • [www.eecs.berkeley.edu]
  • [nslab.kaist.ac.kr]
  • [www.usenix.org]
  • [www.cs.berkeley.edu]
  • [www.cs.berkeley.edu]
  • [www.usenix.org]
  • [www.usenix.org]
  • [www.usenix.org]
  • [www.usenix.org]
  • [pdg.lbl.gov]

  • Save to List
  • Add to Collection
  • Correct Errors
  • Monitor Changes
by Adam Barth , Joel Weinberger , Dawn Song
Citations:16 - 4 self
  • Summary
  • Active Bibliography
  • Co-citation
  • Clustered Documents
  • Version History

BibTeX

@MISC{Barth_cross-originjavascript,
    author = {Adam Barth and Joel Weinberger and Dawn Song},
    title = {Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense},
    year = {}
}

Bookmark

citeulike Connotea Bibsonomy Del.icio.us Digg Reddit

OpenURL

 

Abstract

We identify a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the browser leaks a JavaScript pointer from one security origin to another. We devise an algorithm for detecting these vulnerabilities by monitoring the “points-to ” relation of the JavaScript heap. Our algorithm finds a number of new vulnerabilities in the opensource WebKit browser engine used by Safari. We propose an approach to mitigate this class of vulnerabilities by adding access control checks to browser JavaScript engines. These access control checks are backwardscompatible because they do not alter semantics of the Web platform. Through an application of the inline cache, we implement these checks with an overhead of 1–2 % on industry-standard benchmarks. 1

Citations

187 Amoeba: a distributed operating system for the 1990s - MULLENDER, ROSSUM, et al. - 1990
163 EROS: a fast capability system - Shapiro, Smith, et al. - 1999
67 Secure Web Browsing with the OP Web Browser - Grier, Tang, et al. - 2008
66 Keykos architecture - Hardy
51 The confused deputy: (or why capabilities might have been invented - HARDY - 1988
45 Securing frame communication in browsers - Barth, Jackson, et al. - 2008
43 Subspace: secure cross-domain communication for web mashups - Jackson, Wang - 2007
24 An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism - Chen, Ross, et al. - 2007
6 and Ankur Taly. An operational semantics for JavaScript - Maffeis, Mitchell - 2008
3 Clickjacking: Web pages can see and hear you - Grossman - 2008
3 Protection and access control in operating systems. Operating Systems: Infotech State of the Art Report - Lampson - 1972
2 A theory of taming - Miller
2 XPConnect wrappers. http://developer.mozilla.org/en/ docs/XPConnect_wrappers - Mozilla
2 Introducing SquirrelFish Extreme - Stachowiak - 2008
The National Science Foundation
  • About CiteSeerX
  • Submit Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2013 The Pennsylvania State University