Title: Language-Based Isolation of Untrusted JavaScript.

Abstract:
Web sites that incorporate untrusted content may use browser- or
language-based methods to keep such content from maliciously altering
pages, stealing sensitive information, or causing other harm. This talks
will present my work on language based techniques to enforce host
isolation and inter-component isolation on web sites that combine
JavaScript from untrusted sources. Using a formal semantics of
JavaScript, we proved security properties of a subset of
JavaScript, comparable in expressiveness to Facebook FBJS, obtained by
combining filtering, rewriting and wrapping techniques. We validated our
results by comparing with existing solutions (Facebook and AdSafe), and
discovering previously unknown vulnerabilities.