Document Type

Article

Publication Date

7-2015

Publication Source

IEEE Transactions on Dependable and Secure Computing

Abstract

Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad Web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of Web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in Web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these Web platforms.

Inclusive pages

443–457

ISBN/ISSN

1545-5971

Document Version

Postprint

Comments

The document available for download is the authors' accepted manuscript, provided in compliance with the publisher's policy on self-archiving. To read the version of record, use the DOI provided.

Permission documentation on file.

Publisher

Institute of Electrical and Electronics Engineers

Volume

12

Issue

4

Peer Reviewed

yes

Link to published version

Share

COinS