A couple of results about JavaScript

This talk will summarize two recent results on JavaScript.

“The Eval that Men Do”: Transforming text into executable code with a function such as JavaScript’s eval endows programmers with the ability to extend applications, at any time, and in almost any way they choose. But this expressive power comes at a price. Reasoning about the dynamic behavior of programs that use this features becomes difficult. A better understanding of how eval is used could lead to increased performance and security. I will report on a large-scale study of the use of eval in JavaScript-based web applications. We have recorded the behavior 317 MB of strings given as arguments to 481,844 calls to the eval function. We provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior.

“Flexible Access Control Policies with Delimited Histories and Revocation”: Providing security guarantees for software systems built out of untrusted components requires the ability to enforce fine-grained access control policies. This is evident in Web 2.0 applications where JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over delimited histories and allows for revocation of the history, and reversion to a safe state if a violation is detected. We report on an empirical evaluation in the context of a production browser. We show examples of security policies which prevent real attacks without imposing drastic restrictions on legacy applications. We have evaluated our proposal with two non-trivial policies on 50 of the Alexa top websites with no changes to the legacy JavaScript code. Between 72% and 84% of the sites were fully functional, and only 1 site was rendered non-functional.