Hybrid Typing of Secure Information Flow in a JavaScript-Like Language

As JavaScript is highly dynamic by nature, static information flow analyses are often too coarse to deal with the dynamic constructs of the language. To cope with this challenge, we present and prove the soundness of a new hybrid typing analysis for securing information flow in a JavaScript-like language. Our analysis combines static and dynamic typing in order to avoid rejecting programs due to imprecise typing information. Program regions that cannot be precisely typed at static time are wrapped inside an internal boundary statement used by the semantics to interleave the execution of statically verified code with the execution of code that must be dynamically checked.

[1]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[2]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[3]  Tamara Rezk,et al.  An Information Flow Monitor-Inlining Compiler for Securing a Core of JavaScript , 2014, SEC.

[4]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[5]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[7]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[8]  Kenneth Knowles,et al.  Hybrid type checking , 2010, TOPL.

[9]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[10]  C. Flanagan,et al.  Gradual Information Flow Typing , 2011 .

[11]  Robert Bruce Findler,et al.  Operational semantics for multi-language programs , 2009 .

[12]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[13]  Gavin M. Bierman,et al.  Safe & Efficient Gradual Typing for TypeScript , 2015, POPL.

[14]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[15]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[16]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[17]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[18]  Peter Thiemann,et al.  Gradual Security Typing with References , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.