Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

JaTE: Transparent and Efficient JavaScript Confinement

See our ACSAC 2015 paper for an overview of this approach.

Introduction

Inclusion of third-party scripts is a common practice, even among major sites handling sensitive data. The default browser security policies are ill-suited for securing web sites from vulnerable or malicious third-party scripts: the choice is between full privilege (script-tag) and isolation (iframe-tag), with nearly all use cases (advertisement, libraries, analytics, etc.) requiring the former. Previous work attempted to bridge the gap between the two alternatives, but all these solutions suffer from one or more of the following problems: (a) lack of compatibility, causing most existing third-party scripts to fail (b) excessive performance overheads, and (c) not supporting object-level policies. For these reasons, confinement of JavaScript code suitable for widespread deployment is still an open problem. Our framework, JaTE, has none of the above shortcomings. It can be deployed on today's web sites, while imposing a relatively modest overheads.

Status

This version is developed for Firefox 33. Please stay tuned while we are cleaning and porting JaTE to the latest Firefox with more updates. We will also include instructions to set up and run JaTE soon.

Download

The reference implementation is available under the GPL here.

Acknowledgements

This work was supported in part by an AFOSR grant FA9550-09-1-0539, an NSF grant CNS-0831298, and an ONR grant N000140710928.

Home Contact NSI Computer Science Stony Brook University

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.