Staged information flow for javascript

Modern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm in such websites is to include third-party JavaScript code in the form of libraries or advertisements. If this code were malicious, it could read sensitive information from the page or write to the location bar, thus redirecting the user to a malicious page, from which the entire machine could be compromised. We present an information-flow based approach for inferring the effects that a piece of JavaScript has on the website in order to ensure that key security properties are not violated. To handle dynamically loaded and generated JavaScript, we propose a framework for staging information flow properties. Our framework propagates information flow through the currently known code in order to compute a minimal set of syntactic residual checks that are performed on the remaining code when it is dynamically loaded. We have implemented a prototype framework for staging information flow. We describe our techniques for handling some difficult features of JavaScript and evaluate our system's performance on a variety of large real-world websites. Our experiments show that static information flow is feasible and efficient for JavaScript, and that our technique allows the enforcement of information-flow policies with almost no run-time overhead.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Matthias Felleisen,et al.  Componential set-based analysis , 1997, TOPL.

[3]  Alexander Aiken,et al.  Program Analysis Using Mixed Term and Set Constraints , 1997, SAS.

[4]  Jeffrey S. Foster,et al.  Tracking down Exceptions in Standard ML Programs , 1998 .

[5]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[6]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[7]  Alexander Aiken,et al.  Polymorphic versus Monomorphic Flow-Insensitive Points-to Analysis for C , 2000, SAS.

[8]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[9]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[10]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[11]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[12]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[13]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[14]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[15]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[16]  Andrew C. Myers Programming with Explicit Security Policies , 2005, ESOP.

[17]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[18]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[19]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[20]  Alexander Aiken,et al.  Banshee: A Scalable Constraint-Based Analysis Toolkit , 2005, SAS.

[21]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[22]  Jeffrey S. Foster,et al.  LOCKSMITH: context-sensitive correlation analysis for race detection , 2006, PLDI '06.

[23]  Cormac Flanagan,et al.  Status report: specifying javascript with ML , 2007, ML '07.

[24]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[25]  R. Morris,et al.  Labels and event processes in the asbestos operating system , 2007, SOSP '05.

[26]  Ben Hardekopf,et al.  The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code , 2007, PLDI '07.

[27]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[28]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[29]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[30]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[31]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[32]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[33]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.