The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Jan Vitek - Purdue University

Students: Spring 2025, unless noted otherwise, sessions will be virtual on Zoom.

A couple of results about JavaScript

Feb 23, 2011

Download: Video Icon MP4 Video Size: 443.1MB  
Watch on Youtube Watch on YouTube

Abstract

This talk will summarize two recent results on JavaScript.

"The Eval that Men Do": Transforming text into executable code with a function such as JavaScript's eval endows programmers with the ability to extend applications, at any time, and in almost any way they choose. But this expressive power comes at a price. Reasoning about the dynamic behavior of programs that use this features becomes difficult. A better understanding of how eval is used could lead to increased performance and security. I will report on a large-scale study of the use of eval in JavaScript-based web applications. We have recorded the behavior 317 MB of strings given as arguments to 481,844 calls to the eval function. We provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior.

"Flexible Access Control Policies with Delimited Histories and Revocation": Providing security guarantees for software systems built out of untrusted components requires the ability to enforce fine-grained access control policies. This is evident in Web 2.0 applications where JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over delimited histories and allows for revocation of the history, and reversion to a safe state if a violation is detected. We report on an empirical evaluation in the context of a production browser. We show examples of security policies which prevent real attacks without imposing drastic restrictions on legacy applications. We have evaluated our proposal with two non-trivial policies on 50 of the Alexa top websites with no changes to the legacy JavaScript code. Between 72% and 84% of the sites were fully functional, and only 1 site was rendered non-functional.

About the Speaker

Jan Vitek
Jan Vitek is a Professor of Computer Science at Purdue. He works on programming language technologies with applications to real-time computing. Prof. Vitek led the Ovm project which resulted in the first open source real-time Java virtual machine to be flight-tested in 2005. He has since investigated virtual machine technologies for safety-critical embedded systems. He is or has been general chair of PLDI, LCTES and ISMM as well as program chair of ECOOP, VEE, Coordination, and TOOLS. He is a member of the JSR-302 Safety Critical Java expert group and of the IFIP 2.4 working group on compilers and software technologies.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!