Search Icon
Submissions

ScriptChecker: To Tame Third-party Script Execution With Task Capabilities

Wu Luo (Peking University), Xuhua Ding (Singapore Management University), Pengfei Wu (School of Computing, National University of Singapore), Xiaolei Zhang (Peking University), Qingni Shen (Peking University), Zhonghai Wu (Peking University)

We present ScriptChecker, a novel browser-based framework to effectively and efficiently restrict third-party script execution according to the host web page's needs. Different from all existing schemes functioning at the JavaScript layer, ScriptChecker holistically harnesses context separation and the browser's security monitors to enforce on-demand access controls upon tasks executing untrusted code. The host page can flexibly assign resource-access capabilities to tasks upon their creation. Reaping the benefits of the task capability approach, ScriptChecker outperforms existing techniques in security, usability and performance. We have implemented a prototype of ScriptChecker on Chrome and rigorously evaluated its security and performance with case studies and benchmarks. The experimental results show that its strong security strength and ease-of-use are attained at the cost of unnoticeable performance loss. It incurs about 0.2 microseconds overhead to mediate a DOM access, and 5% delay when loading popular JS graphics and utility libraries.

Paper
Video

View More Papers

Progressive Scrutiny: Incremental Detection of UBI bugs in the...

Yizhuo Zhai (University of California, Riverside), Yu Hao (University of California, Riverside), Zheng Zhang (University of California, Riverside), Weiteng Chen (University of California, Riverside), Guoren Li (University of California, Riverside), Zhiyun Qian (University of California, Riverside), Chengyu Song (University of California, Riverside), Manu Sridharan (University of California, Riverside), Srikanth V. Krishnamurthy (University of California, Riverside),…

Read More

FANDEMIC: Firmware Attack Construction and Deployment on Power Management...

Ryan Tsang (University of California, Davis), Doreen Joseph (University of California, Davis), Qiushi Wu (University of California, Davis), Soheil Salehi (University of California, Davis), Nadir Carreon (University of Arizona), Prasant Mohapatra (University of California, Davis), Houman Homayoun (University of California, Davis)

Read More

Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks

Chongzhou Fang (University of California, Davis), Han Wang (University of California, Davis), Najmeh Nazari (University of California, Davis), Behnam Omidi (George Mason University), Avesta Sasan (University of California, Davis), Khaled N. Khasawneh (George Mason University), Setareh Rafatirad (University of California, Davis), Houman Homayoun (University of California, Davis)

Read More

Towards a TEE-based V2V Protocol for Connected and Autonomous...

Mohit Kumar Jangid (Ohio State University) and Zhiqiang Lin (Ohio State University)

Read More