Secure and trustworthy remote JavaScript execution

Javascript is used more and more as a programming language to develop web applications in order to increase the user experience and application interactivity. Although Javascript is a powerful technology that offers these characteristics, it is also a potential web application attack vector that can be exploited to impact the end-user, since it can be maliciously intercepted and modified. Today, web browsers act as worldwide open windows, executing, on a given user machine (computer, smartphone, tablet or any other), remote code. Therefore, it is important to ensure the trust on the execution of this remote code. This trust should be ensured at the JavaScript remote code producer, during transport and also locally before being executed on the end-user web-browser. In this paper, the authors propose and present a mechanism that allows the secure production and verification of web-applications JavaScript code. The paper also presents a set of tools that were developed to offer JavaScript code protection and ensure its trust at the production stage, but also a proxy-based mechanism that ensures end-users the un-modified nature and source validation of the remote JavaScript code prior to its execution by the end-user browser.info:eu-repo/semantics/acceptedVersio

Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS

Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages

Between Worlds: Securing Mixed JavaScript/ActionScript Multi-Party Web Content

Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad Web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of Web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in Web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these Web platforms

ATTACKS AND COUNTERMEASURES FOR WEBVIEW ON MOBILE SYSTEMS

ABSTRACT All the mainstream mobile operating systems provide a web container, called ``WebView\u27\u27. This Web-based interface can be included as part of the mobile application to retrieve and display web contents from remote servers. WebView not only provides the same functionalities as web browser, more importantly, it enables rich interactions between mobile apps and webpages loaded inside WebView. Through its APIs, WebView enables the two-way interaction. However, the design of WebView changes the landscape of the Web, especially from the security perspective. This dissertation conducts a comprehensive and systematic study of WebView\u27s impact on web security, with a particular focus on identifying its fundamental causes. This dissertation discovers multiple attacks on WebView, and proposes new protection models to enhance the security of WebView. The design principles of these models are also described as well as the prototype implementation in Android platform. Evaluations are used to demonstrate the effectiveness and performance of these protection models

A communication module for capturing events in order to monitor a service-based automated production line

The efficiency, reliability and on time maintenance of a manufacturing process largely relies on a highly efficient and rapidly responsive monitoring system. The increasing demand of uninterrupted continuation of a production process emphasizes the need of anefficient real time monitoring mechanism of the process. The rapid advancements of modern technology especially in the communication field have largely affected every field of daily life as well as the industrial sector. The rise of wireless communication technology has made it possible to develop wireless sensors for industrial monitoring applications and revolutionize the monitoring techniques to a greater extent. The work researches a web based monitoring approach for real time monitoring of service-oriented production assembly with 3D visualization. The implementation deals with the design and implementation of a communication framework for receiving, processing and publishing events information of a service oriented assembly line. The processed information is then linked and simulated with a 3D replica of the actual process over the web in real time. The work demonstrates the usefulness of versatile features of 3D visualization in industrial monitoring applications. The online accessibility of the monitoring application enables all concerned individuals to access and monitor the manufacturing process in real time from any remote location. The developed web application can also be simulated for a given set of historical data. Currently, the research work focuses on capturing and simulating only two types of shop floor messages (Pallet activity notification message and Robot activity equipment change state message), but can be enhanced to include more features of the robotic assembly line in future

Towards fine-grained access control in JavaScript contexts

10.1109/ICDCS.2011.87Proceedings - International Conference on Distributed Computing Systems720-729PICS