• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations | Disambiguate

Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense

Cached

  • Download as a PDF

Download Links

  • [www.adambarth.com]
  • [www.adambarth.org]
  • [www.usenix.org]
  • [www.eecs.berkeley.edu]
  • [nslab.kaist.ac.kr]
  • [www.usenix.org]
  • [www.cs.berkeley.edu]
  • [www.cs.berkeley.edu]
  • [www.usenix.org]
  • [www.usenix.org]
  • [www.usenix.org]
  • [www.usenix.org]
  • [static.usenix.org]
  • [static.usenix.org]
  • [pdg.lbl.gov]

  • Save to List
  • Add to Collection
  • Correct Errors
  • Monitor Changes
by Adam Barth , Joel Weinberger , Dawn Song
Citations:16 - 4 self
  • Summary
  • Active Bibliography
  • Co-citation
  • Clustered Documents
  • Version History

BibTeX

@MISC{Barth_cross-originjavascript,
    author = {Adam Barth and Joel Weinberger and Dawn Song},
    title = {Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense},
    year = {}
}

Bookmark

citeulike Connotea Bibsonomy Del.icio.us Digg Reddit

OpenURL

 

Abstract

We identify a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the browser leaks a JavaScript pointer from one security origin to another. We devise an algorithm for detecting these vulnerabilities by monitoring the “points-to ” relation of the JavaScript heap. Our algorithm finds a number of new vulnerabilities in the opensource WebKit browser engine used by Safari. We propose an approach to mitigate this class of vulnerabilities by adding access control checks to browser JavaScript engines. These access control checks are backwardscompatible because they do not alter semantics of the Web platform. Through an application of the inline cache, we implement these checks with an overhead of 1–2 % on industry-standard benchmarks. 1

Citations

188 Amoeba: A distributed operating system for the 1990s - Mullender, Rossum, et al. - 1990
168 EROS: a fast capability system - Shapiro, Smith, et al. - 1999
68 Secure web browsing with the op web browser - Grier, Tang, et al.
68 The KeyKOS architecture - Hardy - 1985
56 The confused deputy: (or why capabilities might have been invented - HARDY - 1988
49 Securing frame communication in browsers - Barth, Jackson, et al.
48 Subspace: Secure cross-domain communication for web mashups - Jackson, Wang
25 An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism - Chen, Ross, et al. - 2007
9 and Ankur Taly. An operational semantics for JavaScript - Maffeis, Mitchell - 2008
5 Protection and Access Control in Operating Systems - Lampson - 1972
3 Clickjacking: Web pages can see and hear you - Grossman - 2008
2 A theory of taming - Miller
2 XPConnect wrappers. http://developer.mozilla.org/en/ docs/XPConnect_wrappers - Mozilla
2 Introducing SquirrelFish Extreme - Stachowiak - 2008
The National Science Foundation
  • About CiteSeerX
  • Submit Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2013 The Pennsylvania State University