Information-flow security for JavaScript and its APIs

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

[1]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[2]  Wouter Joosen,et al.  Security of Web Mashups: A Survey , 2010, NordSec.

[3]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[4]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[5]  Alejandro Russo,et al.  Securing Timeout Instructions in Web Applications , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[6]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[7]  Julien Lironcourt Internet Security Seminar Analyzing Information Flow in JavaScript-based Browser Extensions , 2010 .

[8]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[11]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[12]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[13]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[14]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[15]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[16]  Jonas Magazinius,et al.  Architectures for Inlining Security Monitors in Web Applications , 2014, ESSoS.

[17]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[18]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[19]  Peter Thiemann Towards Specializing JavaScript Programs , 2014, Ershov Memorial Conference.

[20]  Dominique Devriese,et al.  Stateful Declassification Policies for Event-Driven Programs , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[21]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[22]  Andrei Sabelfeld,et al.  Value Sensitivity and Observable Abstract Values for Information Flow Control , 2015, LPAR.

[23]  Jonas Magazinius,et al.  A lattice-based approach to mashup security , 2010, ASIACCS '10.

[24]  Frank Piessens,et al.  JSand: complete client-side sandboxing of third-party JavaScript without browser modifications , 2012, ACSAC '12.

[25]  Zhou Li,et al.  Mash-IF: Practical information-flow control within client-side mashups , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[26]  Andrei Sabelfeld,et al.  Limiting information leakage in event-based communication , 2011, PLAS '11.

[27]  Deian Stefan,et al.  Toward Principled Browser Security , 2013, HotOS.

[28]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[29]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[30]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[31]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[32]  David A. Naumann,et al.  Inlined Information Flow Monitoring for JavaScript , 2015, CCS.

[33]  Arthur Charguéraud,et al.  A trusted mechanised JavaScript specification , 2014, POPL.

[34]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[35]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[36]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[37]  Andrei Sabelfeld,et al.  Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[38]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[39]  Alan Cleary,et al.  Information flow analysis for javascript , 2011, PLASTIC '11.

[40]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[41]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.

[42]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[43]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[44]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[45]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[46]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[47]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[48]  Deepak Garg,et al.  Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis , 2014, PLAS@ECOOP.

[49]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[50]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[51]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[52]  Andrei Sabelfeld,et al.  Secure Multi-execution: Fine-Grained, Declassification-Aware, and Transparent , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[53]  Marianne Winslett,et al.  Vetting browser extensions for security vulnerabilities with VEX , 2011, CACM.

[54]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[55]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[56]  Nataliia Bielova,et al.  Hybrid Information Flow Monitoring against Web Tracking , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[57]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[58]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[59]  Alejandro Russo,et al.  On-the-fly inlining of dynamic security monitors , 2010, Comput. Secur..

[60]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[61]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[62]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[63]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..