Securing web-clients with instrumented code and dynamic runtime monitoring

► Highly robust proxy based framework that can intercept HTTP request/response. ► A comprehensive HTTP traffic transformation XML rules schema. ► Self-contained, in-browser security manager for the JavaScript Language. ► A collection of secure JavaScript equivalent objects. Security and privacy concerns remain a major factor that hinders the whole scale adoption of web-based technology in sensitive situations, such as financial transactions (Gao and Owolabi, 2008; Lichtenstein and Williamson, 2006). These concerns impact both end users and content generators. To tackle this problem requires a complimentary technology to the already developed and deployed infrastructure for web security. Hence, we have developed a multi-layer framework for web client security based on mobile code instrumentation. This architecture seeks to isolate exploitable security vulnerabilities and enforce runtime policies against malicious code constructs. Our instrumentation process uniquely integrates both static and dynamic engines and is driven by flexible (XML based) rewrite rules for a scalable operation and transparent deployment. Based on secure equivalents for vulnerable JavaScript objects and methods, our mechanism offers superior runtime performance compared to other approaches. Extensive investigation using four case studies shows that the instrumentation technique provides a potential solution to curb the rising number of security exploits that exist on the web today. In addition, performance data gathered from evaluations on active websites demonstrate that the mechanism has very little impact in terms of user experience; thus making it plausible for adoption by end-users.