Full Program »
JaTE: Transparent and Efficient JavaScript Confinement
Presentation 7.1MB |
even on major sites handling sensitive data. The default
browser security policies are ill-suited for securing web sites
from vulnerable or malicious third-party scripts: the choice
is between full privilege (<script>) and isolation (<iframe>),
with nearly all use cases (advertisement, libraries, analytics,
etc.) requiring the former. Previous work attempted to
bridge the gap between the two alternatives, but all the solutions
were plagued by one or more of the following problems:
(a) lack of transparency, causing most existing third-party
scripts to fail (b) excessive performance overheads, and (c)
requiring changes to web browsers. For these reasons, con-
finement of JavaScript code suitable for widespread deploy-
ment is still an open problem.
Our solution, JaTE, has none of the above shortcomings.
JaTE is ready for deployment on any web site, while im-
posing a relatively low overhead of about 25%, even on web
pages that include about a megabyte of minified JavaScript
code.
Author(s):
Tung Tran
Stony Brook University
United States
Riccardo Pelizzi
Stony Brook University
United States
R. Sekar
Stony Brook University
United States