Monday, 19 October 2015

Between Worlds: Securing Mixed JavaScript/Action script Multi-Party Web Content

Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents Flash JaX , a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these web platforms.
The aim of this paper is Flash JaX , a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript.
The scope of this paper is to demonstrate that Flash  JaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these web platforms.
Meanwhile, the abuse of mixed AS-JS content for malicious campaigns constitutes a significant rising threat for content currently in circulation. For example, a Gmail vulnerability allowed attackers to steal sessions by exploiting the AS-JS interface. A Word Press attack exploits vulnerable AS-to-JS interface calls. A recent study found that 64 of over 1000 top sites contain Flash applications vulnerable to JS XSS attacks . (Our evaluation discusses other real-world attacks). A deeper examination of these attacks reveals that any defense against attacks arising from AS-JS interactions must adopt a holistic view of the security-relevant events on both platforms. Prior work developed for JS or Flash has not been designed with this holistic perspective, and therefore does not satisfactorily address security issues arising from mixed AS-JS content. The problem of preventing malicious behaviors that exploit combined AS-JS technologies has therefore remained open

  1.  The  security of untrusted content that combines both has received considerably less attention
  2.  Major concerns include confidentiality of private client data (e.g., cookies), integrity of host- and user-owned content, and availability of hosting site services

In this paper, FlashJaX affords publishers a fine-grained mechanism to safely embed untrusted JS and AS content in their web pages. To avoid modifying the client browser or VMs (which would introduce significant deployment barriers), we adopt an in-lined reference monitoring approach. In-lined Reference Monitors (IRMs) modify untrusted code to enforce security policies from the inside. The resulting code is self monitoring, and can therefore be safely executed on standard browsers and VMs without additional client-side monitoring. FlashJaX’s IRM consists of JS and AS code introduced by the embedding page. The IRM mediates security-relevant events exhibited on the client, permitting or denying them based on a provider-specified policy. A native design implements separate IRMs for JS and AS; however, this approach has many drawbacks. To enforce policies involving a global event history, separate IRMs must ensure that their security states are synchronized at every decision point.To avoid this, FlashJaX centralizes security state-tracking to the JS half of the IRM, and implements an AS side that shifts the significant policy decisions to the JS side. This is efficient because most security-relevant AS events include AS-JS communication as a sub-component; the IRM therefore couples its AS-JS communications atop these existing ones to avoid unnecessary context-switches

  1. It is also compatible with advertisements from leading ad networks.

  2. FlashJaX is effective in preventing attacks related to AS-JS communication, and its lightweight IRM approach exhibits low overhead for mediations.





·                 Processor               -   Pentium –III

·                Speed                -    1.1 Ghz
·                RAM                 -    256 MB(min)
·                Hard Disk         -   20 GB
·                Floppy Drive    -    1.44 MB
·                Key Board                 -    Standard Windows Keyboard
·                Mouse               -    Two or Three Button Mouse
·                Monitor             -    SVGA


·                Operating System              : Windows  7                                       
·                Front End                  : JSP AND SERVLET
·                Database                  : MYSQL
·                Tool                           :NETBEANS

Monshizadeh, M. ; Sridhar, M. ; Hamlen, K.W.. Khan “Between Worlds: Securing Mixed JavaScript/Action script Multi-Party Web Content,” IEEE Transactions on Dependable and Secure Computing, Volume 12, Issue 4 September 2014.

No comments:

Post a Comment