TY - GEN
T1 - Virtual browser
T2 - 17th ACM Conference on Computer and Communications Security, CCS'10
AU - Cao, Yinzhi
AU - Li, Zhichun
AU - Rastogi, Vaibhav
AU - Chen, Yan
PY - 2010/12/16
Y1 - 2010/12/16
N2 - Third-party JavaScript offers much more diversity to Web and its applications but also introduces new threats. Those scripts cannot be completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all the existing works in this area can secure only a subset of third-party JavaScript. At the same time, because of the existence of not so well documented browser quirks, attacks may be encoded in non standard HTML/JavaScript so that they can bypass existing approaches as these approaches will parse third-party JavaScript twice, at both server and clint side. In this paper, we propose Virtual Browser, a completely virtual-ized environment within existing browsers for executing untrusted third-party code. We secure complete JavaScript, including all the hard-to-secure functions of JavaScript programs, such as with and eval. Since this approach parses scripts only once, there is no pos-sibility of attacks being executed through browser quirks. We first completely isolate Virtual Browser from the native browser com-ponents and then introduce communication by adding data flows carefully examined for security.
AB - Third-party JavaScript offers much more diversity to Web and its applications but also introduces new threats. Those scripts cannot be completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all the existing works in this area can secure only a subset of third-party JavaScript. At the same time, because of the existence of not so well documented browser quirks, attacks may be encoded in non standard HTML/JavaScript so that they can bypass existing approaches as these approaches will parse third-party JavaScript twice, at both server and clint side. In this paper, we propose Virtual Browser, a completely virtual-ized environment within existing browsers for executing untrusted third-party code. We secure complete JavaScript, including all the hard-to-secure functions of JavaScript programs, such as with and eval. Since this approach parses scripts only once, there is no pos-sibility of attacks being executed through browser quirks. We first completely isolate Virtual Browser from the native browser com-ponents and then introduce communication by adding data flows carefully examined for security.
KW - Third-party JavaScript
KW - Virtualization
KW - Web security
UR - http://www.scopus.com/inward/record.url?scp=78650014083&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78650014083&partnerID=8YFLogxK
U2 - 10.1145/1866307.1866387
DO - 10.1145/1866307.1866387
M3 - Conference contribution
AN - SCOPUS:78650014083
SN - 9781450302449
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 654
EP - 656
BT - CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security
Y2 - 4 October 2010 through 8 October 2010
ER -