Practical Information Flow Control for Web Applications

Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.

[1]  Alejandro Russo,et al.  On-the-fly inlining of dynamic security monitors , 2010, Comput. Secur..

[2]  Issa Traoré,et al.  If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript , 2018, Comput. Secur..

[3]  Coen De Roover,et al.  Linvail: A General-Purpose Platform for Shadow Execution of JavaScript , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[4]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.

[5]  Sebastian Lekies,et al.  Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets , 2017, CCS.

[6]  David A. Naumann,et al.  Information Flow Monitor Inlining , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[7]  Tamara Rezk,et al.  An Information Flow Monitor-Inlining Compiler for Securing a Core of JavaScript , 2014, SEC.

[8]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[9]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[10]  Simon Holm Jensen,et al.  Remedying the eval that men do , 2012, ISSTA 2012.

[11]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[12]  Koushik Sen,et al.  A Survey of Dynamic Analysis and Test Generation for JavaScript , 2017, ACM Comput. Surv..

[13]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[14]  Frank Piessens,et al.  A Principled Approach to Tracking Information Flow in the Presence of Libraries , 2017, POST.

[15]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[16]  Nataliia Bielova,et al.  A Taxonomy of Information Flow Monitors , 2016, POST.

[17]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[18]  David A. Naumann,et al.  Inlined Information Flow Monitoring for JavaScript , 2015, CCS.

[19]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[20]  Deepak Garg,et al.  Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis , 2014, PLAS@ECOOP.

[21]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[22]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[23]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[24]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[25]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[26]  Andrei Sabelfeld,et al.  Secure Multi-execution: Fine-Grained, Declassification-Aware, and Transparent , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[27]  Andrei Sabelfeld,et al.  Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[28]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[29]  Wil M. P. van der Aalst,et al.  Business Process Variability Modeling , 2017, ACM Comput. Surv..

[30]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[31]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.