1,310 research outputs found
Transparent Object Proxies for JavaScript (Artifact)
This artifact provides two prototype extensions of the SpiderMonkey JavaScript engine. Both extensions implement alternative designs for transparent proxies that are better suited for use cases such as certain contract wrappers and access restricting membranes.
The first prototype extends the proxy handler by an isTransparent trap that regulates the proxy\u27s transparency. The second prototype implements a new global object TransparentProxy that implements the constructor for transparent proxy objects
Efficient Dynamic Access Analysis Using JavaScript Proxies
JSConTest introduced the notions of effect monitoring and dynamic effect
inference for JavaScript. It enables the description of effects with path
specifications resembling regular expressions. It is implemented by an offline
source code transformation.
To overcome the limitations of the JSConTest implementation, we redesigned
and reimplemented effect monitoring by taking advantange of JavaScript proxies.
Our new design avoids all drawbacks of the prior implementation. It guarantees
full interposition; it is not restricted to a subset of JavaScript; it is
self-maintaining; and its scalability to large programs is significantly better
than with JSConTest.
The improved scalability has two sources. First, the reimplementation is
significantly faster than the original, transformation-based implementation.
Second, the reimplementation relies on the fly-weight pattern and on trace
reduction to conserve memory. Only the combination of these techniques enables
monitoring and inference for large programs.Comment: Technical Repor
Web Tracking: Mechanisms, Implications, and Defenses
This articles surveys the existing literature on the methods currently used
by web services to track the user online as well as their purposes,
implications, and possible user's defenses. A significant majority of reviewed
articles and web resources are from years 2012-2014. Privacy seems to be the
Achilles' heel of today's web. Web services make continuous efforts to obtain
as much information as they can about the things we search, the sites we visit,
the people with who we contact, and the products we buy. Tracking is usually
performed for commercial purposes. We present 5 main groups of methods used for
user tracking, which are based on sessions, client storage, client cache,
fingerprinting, or yet other approaches. A special focus is placed on
mechanisms that use web caches, operational caches, and fingerprinting, as they
are usually very rich in terms of using various creative methodologies. We also
show how the users can be identified on the web and associated with their real
names, e-mail addresses, phone numbers, or even street addresses. We show why
tracking is being used and its possible implications for the users (price
discrimination, assessing financial credibility, determining insurance
coverage, government surveillance, and identity theft). For each of the
tracking methods, we present possible defenses. Apart from describing the
methods and tools used for keeping the personal data away from being tracked,
we also present several tools that were used for research purposes - their main
goal is to discover how and by which entity the users are being tracked on
their desktop computers or smartphones, provide this information to the users,
and visualize it in an accessible and easy to follow way. Finally, we present
the currently proposed future approaches to track the user and show that they
can potentially pose significant threats to the users' privacy.Comment: 29 pages, 212 reference
TreatJS: Higher-Order Contracts for JavaScript
TreatJS is a language embedded, higher-order contract system for JavaScript
which enforces contracts by run-time monitoring. Beyond providing the standard
abstractions for building higher-order contracts (base, function, and object
contracts), TreatJS's novel contributions are its guarantee of non-interfering
contract execution, its systematic approach to blame assignment, its support
for contracts in the style of union and intersection types, and its notion of a
parameterized contract scope, which is the building block for composable
run-time generated contracts that generalize dependent function contracts.
TreatJS is implemented as a library so that all aspects of a contract can be
specified using the full JavaScript language. The library relies on JavaScript
proxies to guarantee full interposition for contracts. It further exploits
JavaScript's reflective features to run contracts in a sandbox environment,
which guarantees that the execution of contract code does not modify the
application state. No source code transformation or change in the JavaScript
run-time system is required.
The impact of contracts on execution speed is evaluated using the Google
Octane benchmark.Comment: Technical Repor
Implementation of Faceted Values in Node.JS.
Information flow analysis is the study of mechanisms by which developers may protect sensitive data within an ecosystem containing untrusted third-party code. Secure multi-execution is one such mechanism that reliably prevents undesirable information flows, but a programmer’s use of secure multi-execution is itself challenging and prone to error. Faceted values have been shown to provide an alternative to secure multi-execution which is, in theory, functionally equivalent. The purpose of this work is to show that the theory holds in practice by implementing usable faceted values in JavaScript via source code transformation. The primary contribution of this project is to provide a library that makes these transformations possible in any standard JavaScript runtime without requiring native support. We build a pipeline that takes JavaScript code with syntactic support for faceted values and, through source code transformation, produces platform-independent JavaScript code containing functional faceted values. Our findings include a method by which we may optimize the use of faceted values through static analysis of the program’s information flow
Blocking Java Applets at the Firewall
This paper explores the problem of protecting a site on the Internet against hostile external Java applets while allowing trusted internal applets to run. With careful implementation, a site can be made resistant to current Java security weaknesses as well as those yet to be discovered. In addition, we describe a new attack on certain sophisticated firewalls that is most effectively realized as a Java applet
- …