罗武  等:浏览器同源策略安全研究综述                                                             2503


                 [86]    Calzavara S, Conti M, Focardi R, et al. Machine learning for Web vulnerability detection: the case of cross-site request forgery.
                      IEEE Security & Privacy, 2020,18(3):8−16.
                 [87]    MDN Web Docs. Document.domain JavaScript API. 2020. https://developer.mozilla.org/en-US/docs/Web/API/Document/domain
                 [88]    MDN Web Docs. Cross-origin resource sharing (CORS). 2020. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
                 [89]    Ippolito B. Remote JSON—JSONP. 2005. https://bob.ippoli.to/archives/2005/12/05/remote-json-jsonp/
                 [90]    Stock B, Johns M, Steffens M, et al. How the Web tangled itself: Uncovering the history of client-side Web (in) security. In: Proc.
                      of the 2017 USENIX Security Symp. (USENIX Security 2017). 2017. 971−987.
                 [91]    WHATWG. Cross-document messaging.  2019.  https://html.spec.whatwg.org/multipage/web-messaging.html#crossDocument
                      Messages
                 [92]    Weissbacher M, Robertson WK, Kirda E, et al. ZigZag: Automatically hardening Web applications against client-side validation
                      vulnerabilities. In: Proc. of the 2015 USENIX Security Symp. (USENIX Security 2015). 2015. 737−752.
                 [93]    Guan C, Sun K, Wang Z, et al. Privacy breach by exploiting postmessage in html5: Identification, evaluation, and countermeasure.
                      In: Proc. of the 2016 ACM Asia Conf. on Computer and Communications Security (Asia CCS 2016). 2016. 629−640. [doi: 10.
                      1145/2897845.2897901]
                 [94]    Guan C, Sun K, Lei L, et al. DangerNeighbor attack: Information leakage via postMessage mechanism in HTML5. Computers &
                      Security, 2019, 291−305. [doi: 10.1016/j.cose.2018.09.010]
                 [95]    WHATWG. Fetch standard. 2020. https://fetch.spec.whatwg.org/
                 [96]    Jackson  C, Wang  HJ. Subspace: Secure  cross-domain  communication for Web  mashups. In: Proc. of the 2007 Int’l  Conf. on
                      World Wide Web (WWW 2007). 2007. 611−620. [doi: 10.1145/1242572.1242655]
                 [97]    Liu J, Su PR, Yang M, et al. Software and cyber security—A survey. Ruan Jian Xue Bao/Journal of Software, 2018,29(1):42−68
                      (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5320.htm [doi: 10.13328/j.cnki.jos.005320]
                 [98]    One A. Smashing the stack for fun and profit. 1996. https://inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
                 [99]    Microsoft Corporation. Microsoft’s data execution  prevention.  2004.  https://ohdcs.hospitality.oracleindustry.com/OperaHelp/
                      microsoft_s_data_ extracti on_prevention.htm
                 [100]    Shacham H. The geometry of innocent flesh on the bone: Return-into-Libc without function calls (on the x86). In: Proc. of the
                      2007 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2007). 2007. 552−561. [doi: 10.1145/1315245.1315
                      313]
                 [101]    Roemer R, Buchanan E, Shacham H, et al. Return-oriented programming: Systems, languages, and applications. ACM Trans. on
                      Information and System Security (TISSEC), 2012,15(1):1−34. [doi: 10.1145/2133375.2133377]
                 [102]    Bletsch T, Jiang X, Freeh VW, et al. Jump-oriented programming: A new class of code-reuse attack. In: Proc. of the 2011 ACM
                      Asia Conf. on Computer and Communications Security (Asia CCS 2011). 2011. 30−40. [doi: 10.1145/1966913.1966919]
                 [103]    CheckowayS, DaviL, DmitrienkoA,  et  al.  Return-oriented programming  without returns. In: Proc. of the 2010  ACM SIGSAC
                      Conf. on Computer and Communications Security (CCS 2010). 2010. 559−572. [doi: 10.1145/1866307.1866370]
                 [104]    Abadi  M,  Budiu M, Erlingsson Ú,  et  al. Control-flow integrity. In: Proc. of the 2005 ACM SIGSAC  Conf.  on  Computer  and
                      Communications Security (CCS 2005). 2005. [doi: 10.1145/1102120.1102165]
                 [105]    Abadi  M, Budiu M, Erlingsson  U,  et al. Control-flow  integrity  principles,  implementations, and applications. ACM Trans.  on
                      Information and System Security (TISSEC), 2009,13(1):1−40. [doi: 10.1145/1609956.1609960]
                 [106]    Pappas V, Polychronakis M, Keromytis AD. Transparent ROP exploit mitigation using indirect branch tracing. In: Proc. of the
                      2013 USENIX Security Symp. (USENIX Security 2013). 2013. 447−462.
                 [107]    Cheng Y, Zhou Z, Miao Y, et al. ROPecker: A generic and practical approach for defending against ROP attack. In: Proc. of the
                      2014 Network and Distributed System Security Symp. (NDSS 2014). 2014.
                 [108]    Onarlioglu K, Bilge L, Lanzi A, et al. G-free: Defeating return-oriented programming through gadget-less binaries. In: Proc. of
                      the 2010 Annual Computer Security Applications Conf. (ACSAC 2010). 2010. 49−58. [doi: 10.1145/1920261.1920269]
                 [109]    Bhatkar S, DuVarney DC, Sekar R. Address obfuscation: An efficient approach to combat a broad range of memory error exploits.
                      In: Proc. of the 2003 USENIX Security Symp. (USENIX Security 2003). 2003. 291−301.