Information Flow Analysis for a Dynamically Typed Language with Staged Metaprogramming

Web applications written in JavaScript are regularly used for dealing with sensitive or personal data. Consequently, reasoning about their security properties has become an important problem, which is made very difficult by the highly dynamic nature of the language, particularly its support for runtime code generation via eval. In order to deal with this, we propose to investigate security analyses for languages with more principled forms of dynamic code generation. To this end, we present a static information flow analysis for a dynamically typed functional language with prototype-based inheritance and staged metaprogramming. We prove its soundness, implement it and test it on various examples designed to show its relevance to proving security properties, such as noninterference, in JavaScript. To demonstrate the applicability of the analysis, we also present a general method for transforming a program using eval into one using staged metaprogramming. To our knowledge, this is the first fully static information flow analysis for a language with staged metaprogramming, and the first formal soundness proof of a CFA-based information flow analysis for a functional programming language.

[1]  Simon Holm Jensen,et al.  Remedying the eval that men do , 2012, ISSTA 2012.

[2]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[3]  Martin Lester,et al.  Position paper: the science of boxing , 2013, PLAS '13.

[4]  Laurence Tratt,et al.  Program Logics for Homogeneous Meta-programming , 2010, LPAR.

[5]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[6]  Olin Shivers,et al.  Control flow analysis in scheme , 1988, PLDI '88.

[7]  Walid Taha,et al.  Reasoning about Multi-stage Programs , 2012, ESOP.

[8]  David A. McAllester,et al.  On the cubic bottleneck in subtyping and flow analysis , 1997, Proceedings of Twelfth Annual IEEE Symposium on Logic in Computer Science.

[9]  Tim Teitelbaum,et al.  Incremental reduction in the lambda calculus , 1990, LISP and Functional Programming.

[10]  C.-H. Luke Ong,et al.  Information Flow Analysis for a Dynamically Typed Language with Staged Metaprogramming , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[11]  Jan Vitek,et al.  Eval begone!: semi-automated removal of eval from javascript programs , 2012, OOPSLA '12.

[12]  Kyung-Goo Doh,et al.  A Practical String Analyzer by the Widening Approach , 2006, APLAS.

[13]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[14]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[15]  Olin Shivers,et al.  CFA2: A Context-Free Approach to Control-Flow Analysis , 2010, ESOP.

[16]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[17]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[18]  Makoto Tatsuta,et al.  Static analysis of multi-staged programs via unstaging translation , 2011, POPL '11.

[19]  Matthew Might,et al.  Hash-flow taint analysis of higher-order programs , 2012, PLAS.

[20]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[21]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[22]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[23]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[24]  James Cheney,et al.  Edinburgh Research Explorer A Practical Theory of Language-integrated Query , 2022 .

[25]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[26]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[27]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[28]  David A. Schmidt,et al.  Abstract LR-Parsing , 2011, Formal Modeling: Actors, Open Systems, Biological Systems.

[29]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[30]  Ron van der Meyden What, indeed, is intransitive noninterference? , 2015, J. Comput. Secur..

[31]  Jens Palsberg,et al.  Safety Analysis versus Type Inference , 1992, Inf. Comput..

[32]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[33]  Kwangkeun Yi,et al.  A polymorphic modal type system for lisp-like multi-staged languages , 2006, POPL '06.

[34]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[35]  Andrei Sabelfeld,et al.  SeLINQ , 2014, ICFP.

[36]  Alan Cleary,et al.  Information flow analysis for javascript , 2011, PLASTIC '11.

[37]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[38]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[39]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[40]  Dan Grossman,et al.  Compiling for template-based run-time code generation , 2003, Journal of Functional Programming.

[41]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[42]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[43]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.