Annual Computer Security Applications Conference 2015

Full Program »

JaTE: Transparent and Efficient JavaScript Confinement

Presentation
View File
pdf
7.1MB

The inclusion of third-party scripts is now common practice,
even on major sites handling sensitive data. The default
browser security policies are ill-suited for securing web sites
from vulnerable or malicious third-party scripts: the choice
is between full privilege (<script>) and isolation (<iframe>),
with nearly all use cases (advertisement, libraries, analytics,
etc.) requiring the former. Previous work attempted to
bridge the gap between the two alternatives, but all the solutions
were plagued by one or more of the following problems:
(a) lack of transparency, causing most existing third-party
scripts to fail (b) excessive performance overheads, and (c)
requiring changes to web browsers. For these reasons, con-
finement of JavaScript code suitable for widespread deploy-
ment is still an open problem.
Our solution, JaTE, has none of the above shortcomings.
JaTE is ready for deployment on any web site, while im-
posing a relatively low overhead of about 25%, even on web
pages that include about a megabyte of minified JavaScript
code.

Author(s):

Tung Tran    
Stony Brook University
United States

Riccardo Pelizzi    
Stony Brook University
United States

R. Sekar    
Stony Brook University
United States

 

Powered by OpenConf®
Copyright©2002-2015 Zakon Group LLC