Using Lightweight Formal Methods for JavaScript Security
Date
2010-07-23
DOI
Authors
Reynolds, Mark
Version
OA Version
Citation
Reynolds, Mark. "Using Lightweight Formal Methods for JavaScript Security", Technical Report BUCS-TR-2010-021, Computer Science Department, Boston University, July 23, 2010. [Available from: http://hdl.handle.net/2144/3798]
Abstract
The goal of this work was to apply lightweight formal methods to the study of the security of the JavaScript language. Previous work has shown that lightweight formal methods present a new approach to the study of security in the context of the Java Virtual Machine (JVM). The current work has attempted to codify best current practices in the form of a security model for JavaScript. Such a model is a necessary component in analyzing browser actions for vulnerabilities, but it is not sufficient. It is also required to capture actual browser event traces and incorporate these into the model. The work described herein demonstrates that it is (a) possible to construct a model for JavaScript security that captures important properties of current best practices within browsers; and (b) that an event translator has been written that captures the dynamic properties of browser site traversal in such a way that model analysis is tractable, and yields important information about the satisfaction or refutation of the static security rules.