The Community for Technology Leaders
Green Image
Issue No. 04 - July-Aug. (2015 vol. 12)
ISSN: 1545-5971
pp: 443-457
Phu H. Phung , Department of Computer Science and Engineering, University of Gothenburg, Gothenburg, Sweden
Maliheh Monshizadeh , Department of Computer Science, University of Illinois at Chicago, Chicago, IL
Meera Sridhar , Department of Software and Information SystemsUniversity of North Carolina at Charlotte
Kevin W. Hamlen , Department of Computer Science, University of Texas at Dallas, Dallas, TX
V.N. Venkatakrishnan , Department of Computer Science, University of Illinois at Chicago, Chicago, IL
ABSTRACT
Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad Web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of Web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in Web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these Web platforms.
INDEX TERMS
advertising, authoring languages, Java, online front-ends, security of data, software architecture, Web sites
CITATION

P. H. Phung, M. Monshizadeh, M. Sridhar, K. W. Hamlen and V. Venkatakrishnan, "Between Worlds: Securing Mixed JavaScript/ActionScript Multi-Party Web Content," in IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 443-457, 2015.
doi:10.1109/TDSC.2014.2355847
272 ms
(Ver 3.3 (11022016))