Web-client runtime security system based on dynamic code instrumentation and policy injection.

摘要

The volume of web based malware on the Internet keeps rising despite huge investments on web security. JavaScript, the dominant scripting language for web applications, is the primary channel for most of these attacks. In this thesis, we describe research into the design and implementation of new web application protection system based on code instrumentation techniques. This system combines traditional static analysis techniques with a dynamic HTML, CSS and JavaScript code runtime monitoring agent to offer an efficient, easily deployable, policy driven framework for improved user protection. Rewriting and runtime monitoring are based on providing secure equivalents of JavaScript code constructs known to contain insecurities and hence exploitable by malicious web applications. As a demonstration of the practical capabilities of this framework, three case study attacks and empirical analysis of some of its various aspects across 1000 home pages belonging to the most popular web sites on the Internet are presented.;The results from testing the framework shows its potential for protection of web clients from a broad range of security and privacy issues that manifest on the Internet today.