Download - Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security
![Page 1: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/1.jpg)
1
Yinzhi Cao, Zhichun Li*, Vaibhav Rastogi, Yan Chen, and Xitao Wen
Labs of Internet Security and TechnologyNorthwestern University
*NEC Labs America
Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with
Enhanced Security
![Page 2: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/2.jpg)
2
Outline
• Introduction• Related Work• Design• Security Analysis• Evaluation• Conclusions
![Page 3: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/3.jpg)
3
• Third-party JavaScripts are popular.– Web Mashups– Third-party Games– Widgets– Visitor Counters
• However, they share the same privilege as host web site, and thus – They can sabotage host web site.– They can exploit client browsers.
• So we propose: Virtual Browser, a virtualized browser built upon native browsers.
Introduction
![Page 4: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/4.jpg)
4
Outline
• Introduction• Related Work• Design• Security Analysis• Evaluation• Conclusions
![Page 5: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/5.jpg)
5
Related Work
• JavaScript level approaches– Static methods (ADSafe, FBJS, CoreScript, and Maffeis
et al.)– Runtime Approaches (Microsoft Web Sandbox, and
Google Caja)– Mixed Approaches (GateKeeper, Huang et al.)
• Native approaches– Browser modification (ConScript, MashupOS and
WebJail)– Approaches using NaCl (AdSentry)– Approaches using iframes (AdJail and SMash)
![Page 6: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/6.jpg)
6
JavaScript level approaches
• No dynamic JavaScript feature support (eval and with)
• Vulnerable to drive-by-download (especially unknown attacks)
• Vulnerable to browser quirks– Undocumented HTML/JavaScript parsing
behavior such as <scri\npt> is parsed as <script>
![Page 7: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/7.jpg)
7
Native approaches
• Modification to browsers.• Many are vulnerable to drive-by-download
attacks.
![Page 8: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/8.jpg)
8
![Page 9: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/9.jpg)
9
![Page 10: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/10.jpg)
10
Therefore we propose:
• An approach that is (your take-away)– Robust to drive-by-download– Support dynamic JavaScript features– Supported by all the browsers– Robust to browser quirks
Virtual Browser
![Page 11: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/11.jpg)
11
Outline
• Introduction• Related Work• Design• Security Analysis• Evaluation• Conclusions
![Page 12: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/12.jpg)
12
System Architecture
Components Data Objects
Virtual Browser
Native JavaScript Execution Engine
![Page 13: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/13.jpg)
13
System Architecture
Components Data Objects
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
![Page 14: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/14.jpg)
14
System Architecture
Virtual JavaScript
Parser
Third-Party JavaScript
Code
Components Data Objects
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
Only one parser: mitigating quirks
![Page 15: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/15.jpg)
15
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Third-Party JavaScript
Code
Components Data Objects
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
AST
![Page 16: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/16.jpg)
16
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Third-Party JavaScript
Code
Components Data Objects
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTMLAST
![Page 17: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/17.jpg)
17
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Third-Party JavaScript
Code
Components Data Objects
Script
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTMLAST
![Page 18: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/18.jpg)
18
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Virtual CSS
Parser
Third-Party JavaScript
Code
Components Data Objects
Script
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTML Style Sheet
AST Style Sheet
![Page 19: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/19.jpg)
19
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Virtual CSS
Parser
Third-Party JavaScript
Code
Virtual DOM
Components Data Objects
Script
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTML Style Sheet
AST Style Sheet
Call
![Page 20: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/20.jpg)
20
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Virtual CSS
Parser
Third-Party JavaScript
Code
Virtual DOM
Components Data Objects
Attach
Script
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTML Style Sheet
AST Style Sheet
Call
![Page 21: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/21.jpg)
21
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Virtual CSS
Parser
Third-Party JavaScript
Code
Virtual DOM
Components Data Objects
Attach
ScriptDOM
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTML Style Sheet
Link to
AST
Access
Style SheetEvent
Call
![Page 22: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/22.jpg)
22
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Virtual CSS
Parser
Third-Party JavaScript
Code
Virtual DOM
Components Data Objects
Private Objects
Attach
ScriptDOM
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTML Style Sheet
Link to
AST
Access
Style Sheet
Shared Object
Event
Call
![Page 23: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/23.jpg)
23
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Virtual CSS
Parser
Third-Party JavaScript
Code
Virtual DOM
Components Data Objects
Private Objects
Attach
ScriptDOM
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTML Style Sheet
Link to
AST
Access
Style Sheet
Shared Object
Event
Call
All written in JavaScript: supported by all browsers
![Page 24: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/24.jpg)
24
System Architecture
Virtual JavaScript
Parser
Virtual JavaScript Execution Engine
Virtual HTML Parser
Virtual CSS
Parser
Third-Party JavaScript
Code
Virtual DOM
Components Data Objects
Private Objects
Attach
ScriptDOM
Virtual Browser
Native JavaScript
Parser
Trusted Code
Native JavaScript Execution Engine
HTML Style Sheet
Link to
AST
Access
Style Sheet
Shared Object
Event
Call
Virtualization: Robust to drive-by-download
![Page 25: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/25.jpg)
25
An Example
Virtual JS Parser
document.write(str)
Virtual JSExec Engine
Virtual HTML Parser
Virtual DOM
Same OriginWeb Server
Real srcWeb Server
How to support dynamic features?
![Page 26: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/26.jpg)
26
An Example
Virtual JS Parser
document
document.write(str)
Virtual JSExec Engine
Virtual HTML Parser
Virtual DOM
strwrite
Same OriginWeb Server
Real srcWeb Server
![Page 27: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/27.jpg)
27
An Example
Virtual JS Parser
document
document.write(str)
Virtual JSExec Engine
Virtual HTML Parser
Virtual DOM
strwrite str
Same OriginWeb Server
Real srcWeb Server
![Page 28: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/28.jpg)
28
An Example
Virtual JS Parser
document
document.write(str)
Virtual JSExec Engine
Virtual HTML Parser
Virtual DOM
strwrite str
Same OriginWeb Server
Real srcWeb Server
src for script tag
call
![Page 29: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/29.jpg)
29
An Example
Virtual JS Parser
document
document.write(str)
Virtual JSExec Engine
Virtual HTML Parser
Virtual DOM
strwrite str
Same OriginWeb Server
Real srcWeb Server
src for script tag
forwardrequestcall
![Page 30: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/30.jpg)
30
An Example
responseVirtual JS Parser
document
document.write(str)
Virtual JSExec Engine
Virtual HTML Parser
Virtual DOM
strwrite str
Same OriginWeb Server
Real srcWeb Server
src for script tag
forwardrequestcall
![Page 31: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/31.jpg)
31
An Example
responseVirtual JS Parser
document
document.write(str)
Virtual JSExec Engine
Virtual HTML Parser
Virtual DOM
strwrite str
Same OriginWeb Server
Real srcWeb Server
src for script tag
forwardrequestcall
![Page 32: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/32.jpg)
32
Outline
• Introduction• Related Work• Design• Security Analysis• Evaluation• Conclusions
![Page 33: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/33.jpg)
33
Security Analysis
• Isolating third-party JavaScript through Avoidance– Cutting off Outflows of Virtual Browser– Cutting off Inflows of Virtual Browser
• Communication between third-party JavaScript and trusted JavaScript– Data Security– Script Security– Securing Data Flows in Virtual Browser
![Page 34: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/34.jpg)
34
Isolation through Avoidance
• Cutting off Outflows of Virtual Browser– We ensure third-party codes are trapped
inside Virtual Browser.– An assumption: Any JavaScript code has to
be parsed in the native JavaScript parsers before it can be executed in native browser.• (1) Look up Manuals • (2) Call Graph Analysis
![Page 35: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/35.jpg)
35
Cutting off Outflows
• Cutting off Outflows of Virtual JavaScript Engine– Only eval and new Function will cause native
parsing.– Call graph analysis also shows that.
• Cutting off Outflows of Virtual HTML and CSS parser :Similar
• So we avoid using eval and new Function in Virtual Browser source codes.
![Page 36: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/36.jpg)
36
Cutting of Inflows
• Anonymous Object Encapsulation(function(){ this.evaluate= function () {
codes}
other codes }) ();
![Page 37: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/37.jpg)
37
Communication through Redirection
• Data Security– General Data Security
• Mirrored Object• Access Control
– Such as Object Views
function String(s) { s = arguments.length ? "" + s : ""; if (this instanceof String){ this.value = s; return this; } return s;}
![Page 38: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/38.jpg)
38
Communication through Redirection
• Data Security– Script Security
• Determined Scripts– Scripts that need immediate execution. (evaluate it)– Scripts that need delayed execution. (such as
setTimeout)» Pseudo-function Pointer
setTimeout(function(){ execute(parsed node, exe context) }
,100)
![Page 39: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/39.jpg)
39
Communication through Redirection
• Data Security– Script Security
• Undetermined Script– Privilege escalation may happen.– We are on par with existing solutions. – As shown by Finifter et al., we need to adopt narrow
interface.
![Page 40: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/40.jpg)
40
Securing Data Flows
Native JavaScript Engine
Trusted JS Script
Virtual JS Core
Third-Party JSShared
Object
![Page 41: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/41.jpg)
41
Securing Data Flows
Native JavaScript Engine
Trusted JS Script
Virtual JS Core
Third-Party JSShared
Object
document.write eval
Redirect them back to virtual engine
![Page 42: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/42.jpg)
42
Securing Data Flows
Native JavaScript Engine
Trusted JS Script
Virtual JS Core
Third-Party JSShared
Object
Prevented by encapsulation
![Page 43: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/43.jpg)
43
Securing Data Flows
Native JavaScript Engine
Trusted JS Script
Virtual JS Core
Third-Party JS
3 2 1
45
6
Shared Object
7
Privilege escalation: we are on par with existing solutions.
![Page 44: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/44.jpg)
44
Securing Data Flows
Native JavaScript Engine
Trusted JS Script
Virtual JS Core
Third-Party JS
3 2 1
45
6
Shared Object
7
![Page 45: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/45.jpg)
45
Similar analysis can be applied to virtual CSS parser and HTML parser.
![Page 46: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/46.jpg)
46
Outline
• Introduction• Related Work• Design• Security Analysis• Evaluation• Conclusions
![Page 47: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/47.jpg)
47
Evaluation
• Performance Evaluation– Speed– Memory Usage– Parsing Latency
• Browser Quirk Compatibility• Robustness to Unknown JavaScript
Vulnerability• Completeness of Implementation
![Page 48: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/48.jpg)
48
Performance
• Micro-benchmark• On par with Web Sandbox.
![Page 49: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/49.jpg)
49
Performance
• Macro-benchmark (Game: Connect Four)
![Page 50: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/50.jpg)
50
Memory Usage
![Page 51: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/51.jpg)
51
Parsing Latency (JavaScript)
![Page 52: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/52.jpg)
52
Parsing Latency (HTML)
![Page 53: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/53.jpg)
53
Evaluation
• Robust to Browser Quirk– Robust to 113 browser quirks in XSS cheat
sheet• Robust to Unknown JavaScript
Vulnerabilities– Robust to 14 JavaScript engine vulnerabilities
in CVE• Completeness of Implementation
– Pass 96% test cases of ECMA-262 Edition 1 from Mozilla
![Page 54: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/54.jpg)
54
Discussion
• Speed – Slow– Yes. However, latency is acceptable.– JavaScript engine is becoming faster and
faster• How do we deal with vulnerability of virtual
engine?– Type safe language– Virtual engine adds another layer that make
sure security. (Similar to Virtual Machine)
![Page 55: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/55.jpg)
55
Outline
• Introduction• Related Work• Design• Security Analysis• Evaluation• Conclusions
![Page 56: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/56.jpg)
56
Conclusion
• We build Virtual Browser, a virtualized browser upon native browsers.
• We are– Robust to browser quirks.– Robust to drive-by-download.– Supported by all current browsers.– Support dynamic JavaScript features– And Slow – Yes, we are
![Page 57: Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security](https://reader036.vdocuments.us/reader036/viewer/2022062411/568166a5550346895dda93a3/html5/thumbnails/57.jpg)
57
Thanks Any Questions?