Skip to main content
SpringerLink
Log in

An Architecture for Enforcing JavaScript Randomization in Web2.0 Applications

  • Conference paper
Information Security (ISC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6531))

Included in the following conference series:

Abstract

Instruction Set Randomization (ISR) is a promising technique for preventing code-injection attacks. In this paper we present a complete randomization framework for JavaScript aiming at detecting and preventing Cross-Site Scripting (XSS) attacks. RaJa randomizes JavaScript source without changing the code structure. Only JavaScript identifiers are carefully modified and the randomized code can be mixed with many other programming languages. Thus, RaJa can be practically deployed in existing web applications, which intermix server-side, client-side and markup languages.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. LD_PRELOAD Feature. See man page of LD.SO(8)

    Google Scholar 

  2. SpiderMonkey (JavaScript-C) Engine, http://www.mozilla.org/js/spidermonkey/

  3. Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P.: xJS: Practical XSS Prevention for Web Application Development. In: Proceedings of the 1st USENIX WebApps Conference, Boston, US (June 2010)

    Google Scholar 

  4. Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  5. E. ECMA. 357: ECMAScript for XML (E4X) Specification. ECMA (European Association for Standardizing Information and Communication Systems), Geneva, Switzerland (2004)

    Google Scholar 

  6. Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)

    Google Scholar 

  7. Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 601–610. ACM, New York (2007)

    Google Scholar 

  8. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks with Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 272–280. ACM, New York (2003)

    Google Scholar 

  9. Keromytis, A.D.: Randomized Instruction Sets and Runtime Environments Past Research and Future Directions. In: IEEE Educational Activities Department, Piscataway, NJ, USA, vol. (1), pp. 18–25 (2009)

    Google Scholar 

  10. Krithinakis, A., Athanasopoulos, E., Markatos, E.P.: Isolating JavaScript in Dynamic Code Environments. In: Proceedings of the 1st Workshop on Analysis and Programming Languages for Web Applications and Cloud Applications (APLWACA), co-located with PLDI, Toronto, Canada (June 2010)

    Google Scholar 

  11. Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)

    Google Scholar 

  12. Nanda, S., Lam, L.C., Chiueh, T.: Dynamic Multi-Process Information Flow Tracking for Web Application Security. In: Proceedings of the 8th ACM/IFIP/USENIX International Conference on Middleware. ACM, New York (2007)

    Google Scholar 

  13. Nguyen-tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting. In: Proceedings of the 20th IFIP International Information Security Conference, pp. 372–382 (2005)

    Google Scholar 

  14. SANS Insitute. The Top Cyber Security Risks (September 2009), http://www.sans.org/top-cyber-security-risks/

  15. Sekar, R.: An Efficient Black-box Technique for Defeating Web Application Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 8-11 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Computer Science, Foundation for Research and Technology, Hellas, Greece

    Elias Athanasopoulos, Antonis Krithinakis & Evangelos P. Markatos

Authors
  1. Elias Athanasopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonis Krithinakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Evangelos P. Markatos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Security and Assurance in IT (C-SAIT), Department of Computer Science, Florida State University, 32306-4530, Tallahassee, FL, USA

    Mike Burmester

  2. Department of Computer Science, University of California, Irvine, 92697-3425, CA, USA

    Gene Tsudik

  3. Center for Cryptology and Information Security (CCIS), Department of Mathematical Sciences, Florida Atlantic University, 33431-0991, Boca Raton, FL, USA

    Spyros Magliveras

  4. Mathematical Sciences Department, Florida Atlantic University, 33431-0991, Boca Raton, FL, USA

    Ivana Ilić

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Athanasopoulos, E., Krithinakis, A., Markatos, E.P. (2011). An Architecture for Enforcing JavaScript Randomization in Web2.0 Applications. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds) Information Security. ISC 2010. Lecture Notes in Computer Science, vol 6531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-18178-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-18178-8_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-18177-1

  • Online ISBN: 978-3-642-18178-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation