Shared Website Code Security

Researchers at the University of California at Berkeley in Berkeley, California and Microsoft Corporation in Redmond, Washington have developed a new security system for monitoring and controlling the shared code on websites. Their new application would identify external shared code and permit web application developers to determine precisely what such code could and could not do to their sites and underlying data.
Conscript co-developer Ben Livshits. (Source: Ben Livshits/Microsoft Research)
Conscript co-developer Ben Livshits. (Source: Ben Livshits/Microsoft Research)

Called Conscript, the new system would permit web developers to control whether and how JavaScript executes on their web applications – provided their users are running Internet Explorer 8 (the system could theoretically be extended to other browsers in the future). Conscript identifies seventeen different types of executable JavaScript based on patterns found both in plain vanilla JavaScript and commonly used JavaScript libraries such as JScript and AJAX and gives its users – the site developers – fine grained control over each one individually.

Some of the options provided by Conscript include the ability to turn off dynamically executed code after a specific point in page loading, restricting the use of time-based callback methods, restricting XMLhttpRequest calls to trusted secure connections, disabling JavaScript access to the private data often stored in cookies, and the use of whitelists to enable or disable executable code from specific sources. For example, a website could explicitly disable all executable code from every source except specific partner sites like Google Maps or Amazon or disallow all server-side calls from any client-side JavaScript code by blocking use of XMLhttpRequest. Conscript can also be used to blacklist specific calls or domains and to log intrusion attempts made against any blocked functions or by blocked domains.

Developers can manually select their preferred level of restrictions for each of the seventeen options, but Conscript also supports automated default selections imposed by their IDE or other common development tools. These policies would be developed once then integrated into the project template used for all future development, much like other organizational coding practices and standards are today.

TFOT has previously reported on other debugging and security software including self-repairing software capable of locating and fixing a variety of bugs within minutes of their discovery, the security features of the Firefox 3 browser, and the security features of Google Chrome including some JavaScript-specific security features.

Read more about Conscript and its functionality in this PDF paper by its principle developers, Leo Meyerovich at UC Berkeley and Ben Livshits at Microsoft.

Related Posts