• About
  • About the Department
  • Contact
  • Directions
  • Partners
  • Rooms
  • Systems & Software
  • Conduit
  • News
  • Events
  • Blog
• People
  • Our Community
  • Faculty
  • Staff
  • Grad Students
  • Ugrad Students
  • Alums
  • Directory
• Research
  • Research Links
  • Areas
  • Publications
• Degrees
  • Degree Programs
  • Doctoral
  • Masters
  • Undergrad
  • Programs
  • Miscellaneous
• Courses
  • Course List
  • Schedule
  • Sections
  • TA Program

The 40th IPP Symposium

Intrusion Detection for Ajax Applications

Arjun Guha, Brown University

Browser-based applications are gaining popularity as technologies like Ajax mature and browsers become more powerful platforms. However, Ajax applications remain notoriously difficult to write and harder still to write securely. In addition to the standard security challenges that face web applications, Ajax applications must contend with a host of new issues, such as foreign script injection and a programming environment with very few static guarantees.

We use static program analysis of JavaScript and HTML to automatically generate a sound model of an Ajax application's interactions with its server. We construct a lightweight proxy that ensures that clients do not violate the model. We efficiently insert random requests into clients on a per session basis, introducing a degree of randomness into each model. This makes it harder to construct a generic attack that defeats a generic model. Finally, we evaluate our tools and techniques against real web applications.

Arjun Guha is a Ph.D. student at Brown University. He created a system of polymorphic contracts for JavaScript before taking on Web security. He is a maintainer of the Flapjax programming language.