Virtual browser: A virtualized browser to sandbox third-party JavaScripts with enhanced security

Yinzhi Cao*, Zhichun Li, Vaibhav Rastogi, Yan Chen, Xitao Wen

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations

Abstract

Third party JavaScripts not only offer much richer features to the web and its applications but also introduce new threats. These scripts cannot be completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all existing approaches without native sandbox support can secure only a subset of third party JavaScripts, and they are vulnerable to attacks encoded in non-standard HTML/JavaScript (browser quirks) as these approaches will parse third party JavaScripts independently at server side without considering client-side non-standard parsing quirks. At the same time, native sandboxes are vulnerable to attacks based on unknown native JavaScript engine bugs. In this paper, we propose Virtual Browser, a full browserlevel virtualized environment within existing browsers for executing untrusted third party code. Our approach supports more complete JavaScript language features including those hard-to-secure functions, such as with and eval. Since Virtual Browser does not rely on native browser parsing behavior, there is no possibility of attacks being executed through browser quirks. Moreover, given the third-party Javascripts are running in Virtual Browser instead of native browsers, it is harder for the attackers to exploit unknown vulnerabilities in the native JavaScript engine. In our design, we first completely isolate Virtual Browser from the native browser components and then introduce communication by adding data flows carefully examined for security. The evaluation of the Virtual Browser prototype shows that our execution speed is the same as Microsoft Web Sandbox[5], a state of the art runtime web-level sandbox. In addition, Virtual Browser is more secure and supports more complete JavaScript for third party JavaScript development.

Original languageEnglish (US)
Title of host publicationASIACCS 2012 - 7th ACM Symposium on Information, Computer and Communications Security
Pages8-9
Number of pages2
DOIs
StatePublished - Dec 1 2012
Event7th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2012 - Seoul, Korea, Republic of
Duration: May 2 2012May 4 2012

Publication series

NameASIACCS 2012 - 7th ACM Symposium on Information, Computer and Communications Security

Other

Other7th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2012
CountryKorea, Republic of
CitySeoul
Period5/2/125/4/12

Keywords

  • Third-party JavaScript
  • Virtualization
  • Web Security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Virtual browser: A virtualized browser to sandbox third-party JavaScripts with enhanced security'. Together they form a unique fingerprint.

Cite this