Virtual browser: A Web-level sandbox to secure third-party JavaScript without sacrificing functionality

Yinzhi Cao*, Zhichun Li, Vaibhav Rastogi, Yan Chen

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

Third-party JavaScript offers much more diversity to Web and its applications but also introduces new threats. Those scripts cannot be completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all the existing works in this area can secure only a subset of third-party JavaScript. At the same time, because of the existence of not so well documented browser quirks, attacks may be encoded in non standard HTML/JavaScript so that they can bypass existing approaches as these approaches will parse third-party JavaScript twice, at both server and clint side. In this paper, we propose Virtual Browser, a completely virtual-ized environment within existing browsers for executing untrusted third-party code. We secure complete JavaScript, including all the hard-to-secure functions of JavaScript programs, such as with and eval. Since this approach parses scripts only once, there is no pos-sibility of attacks being executed through browser quirks. We first completely isolate Virtual Browser from the native browser com-ponents and then introduce communication by adding data flows carefully examined for security.

Original languageEnglish (US)
Title of host publicationCCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security
Pages654-656
Number of pages3
DOIs
StatePublished - Dec 16 2010
Event17th ACM Conference on Computer and Communications Security, CCS'10 - Chicago, IL, United States
Duration: Oct 4 2010Oct 8 2010

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other17th ACM Conference on Computer and Communications Security, CCS'10
CountryUnited States
CityChicago, IL
Period10/4/1010/8/10

Keywords

  • Third-party JavaScript
  • Virtualization
  • Web security

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Virtual browser: A Web-level sandbox to secure third-party JavaScript without sacrificing functionality'. Together they form a unique fingerprint.

Cite this