Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

JSand: Complete Client-Side Sandboxing of Third-Party JavaScript without Browser Modifications

Presentation
View File
pdf
2.7MB
Paper
View File
pdf
273KB

Pieter Agten
IBBT-Distrinet, KU Leuven
Belgium

Steven Van Acker
IBBT-Distrinet, KU Leuven
Belgium

Yoran Brondsema
IBBT-Distrinet, KU Leuven
Belgium

Phu H. Phung
Chalmers University of Technology
Sweden

Lieven Desmet
IBBT-Distrinet, KU Leuven
Belgium

Frank Piessens
IBBT-Distrinet, KU Leuven
Belgium

Abstract:
The inclusion of third-party scripts in web pages is common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.

We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client-side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.

We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC