Computer Science

Computer Science ›› 2017, Vol. 44 ›› Issue (Z11): 322-328.doi: 10.11896/j.issn.1002-137X.2017.11A.068

Previous Articles     Next Articles

Data Leakage Oriented Testing Method for Web Sandbox

SUN Ya-jing, ZHAO Xu, YAN Xue-xiong and WANG Qing-xian   

  • Online:2018-12-01 Published:2018-12-01

PDF (PC)

596

Abstract: Data Leakage is an important cause of Web sandbox escape.Namely,unauthorized programs can access sensitive data of system.The existed security analysis methods of Web application are not applicable to detect data leakage of Web sandboxes.In this paper,a Web sandbox test method was proposed to detect Web sandbox data leakage.Based on the model of JavaScript object,first,the method uses depth-first strategy to traversal native objects of browser and gets the collection of directly access object.Then,the method designs sensitive-point oriented test algorithm of encapsulated objects and gets the collection of indirectly access object.Next,the method designs data leakage test algorithm of multiple applications and gets the possible communication paths of programs.Finally,the method compares the test results and the specification of tested web sandbox to detect data leakage.This paper designed and implemented a Web sandbox test system (WSTS),and tested the different versions of ADsafe.The experimental results show that the method has good ability to detect data leakage of Web sandbox.

Key words: Web sandbox,JavaScript,Data leakage,Testing method

[1] BHARGAVAN K,DELIGNAT L A,MAFFEIS S.DefensiveJavaScript[M]∥Foundations of Security Analysis and Design VII.Springer International Publishing,2014:88-123.
[2] TRIPP O,FERRARA P,PISTOIA M.Hybrid security analysis of web javascript code via dynamic partial evaluation[C]∥Proceedings of the 2014 International Symposium on Software Testing and Analysis.ACM,2014:49-59.
[3] POLITZ J G,ARJUN G,SHRIRAM K.Typed-based verification of Web sandboxes[J].Journal of Computer Security,2014,2(4):511-565.
[4] MAASS M,SALES A,CHUNG B,et al.A systematic analysis of the science of sandboxing[J].BMC Evolutionary Biology ,2016,2(3):e43.
[5] JavaScript and the Document Object Model.http://www.ibm.com/developerworks/web/library/wa-jsdom.
[6] The Browser Object Model.http://msdn.microsoft.com/en-us/library/ms952643.aspx.
[7] ECMAScript Language Specification 2015.http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf.
[8] DOUGLAS C.ADsafe.http://www.adsafe.org.
[9] MARK S,MILLER S,BEN L,et al.Caja:Safe active content in sanitized JavaScript.http://google-caja,googlecode.com/files/caja-spec-2008-06-07.pdf.
[10] Facebook.FBJS.http://developers.facebook.com/docs/fbjs.
[11] SERGIO M,MITCHELL J C,TALY A.Isolating JavaScriptwith filters,rewriting,and wrapper [C]∥European Symposium on Research in Computer Security.Springer Berlin Heidelberg,2009:505-522.
[12] TALY A,ERLINGSSON ,MITCHELL J C,et al.Automated analysis of security-critical javascript apis[C]∥ 2011 IEEE Symposium on Security and Privacy (SP).IEEE,2011:363-378.
[13] POLITZ J G,SPIRIDON A E,ARJUN G,et al.ADsafety:Typed-based verification of JavaScript sandboxing[C]∥Proceedings of the 20th USENIX Conference on Security.2011.
[14] POLITZ J G,ARJUN G,SHRIRAM K,Semantics and Types for Objects with First-Class Member Names[M]∥Workshop on Foundations of Object-Oriented Languages(FOOL).2012:15-22.
[15] SAXENA P,AKHAWE D,HANNA S,et al.A symbolic execution framework for javascript[C]∥2010 IEEE Symposium on Security and Privacy (SP).IEEE,2010:513-528.
[16] LI Y F,PARAMJIT K D,DAVID L D.Two decades of Web application testing-A Survey of recent advances[J].Information System,2014,43:20-54.
[17] DANIEL M,JAMES W.Choosing Scrapy[J].Journal of Computing Sciences in Colleges,2015,31(1):83-89.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.