Declaratively Specifying Security Policies For Web Applications
The complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level policies alone, such as Content Security Policy and Same-Origin Policy, are not sufficient because they are implemented inconsistently across browsers and can be bypassed. At the application level, however, there exists no specification language for expressing a wide range of security policies in a composable and reusable manner. In this paper we develop a declarative language for encoding an combining security policies in the context of JavaScript web applications. We explore JavaScript’s reflection capabilities to enforce these security policies dynamically. We validate our work by expressing common security policies encountered in the literature.
| Paper (meta16-final6.pdf) | 208KiB |
Sun 30 OctDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
13:30 - 15:10 | |||
13:30 30mTalk | Declaratively Specifying Security Policies For Web Applications META Angel Luis Scull Pupo Sofware Languages Lab, Vrije Universiteit Brussel, Jens Nicolay Vrije Universiteit Brussel, Belgium, Elisa Gonzalez Boix Vrije Universiteit Brussel Media Attached File Attached | ||
14:00 30mTalk | Virtual Values for Taint and Information Flow Analysis META Prakasam Kannan San Jose State University, Thomas H. Austin , Mark Stamp San Jose State University, Tim Disney , Cormac Flanagan University of California, Santa Cruz Media Attached File Attached | ||
14:30 30mTalk | Capability Safe Reflection for the Wyvern Language META Media Attached File Attached | ||