Information-Flow Security for a Core of JavaScript

Tracking information flow in dynamic languages remains an important and intricate problem. This paper makes substantial headway toward understanding the main challenges and resolving them. We identify language constructs that constitute a core of Java Script: objects, higher-order functions, exceptions, and dynamic code evaluation. The core is powerful enough to naturally encode native constructs as arrays, as well as functionalities of Java Script's API from the document object model (DOM) related to document tree manipulation and event processing. As the main contribution, we develop a dynamic type system that guarantees information-flow security for this language.

[1]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[2]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.

[3]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[4]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[5]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[6]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[7]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[8]  Alejandro Russo,et al.  Securing Timeout Instructions in Web Applications , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[9]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[10]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[11]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[13]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[14]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[15]  BanerjeeAnindya,et al.  Stack-based access control and secure information flow , 2005 .

[16]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[17]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[18]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[19]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[20]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[21]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[22]  Alejandro Russo,et al.  On-the-fly inlining of dynamic security monitors , 2010, Comput. Secur..

[23]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[24]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.

[25]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[26]  Wouter Joosen,et al.  Security of Web Mashups: A Survey , 2010, NordSec.

[27]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[28]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[29]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[30]  Andrei Sabelfeld,et al.  Limiting information leakage in event-based communication , 2011, PLAS '11.

[31]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[32]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[33]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[34]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[35]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[36]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.