JSFlow: tracking information flow in JavaScript and its APIs

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Such code provides a range of facilities from helper utilities (such as jQuery) to readily available services (such as Google Analytics and Tynt). Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing information-flow policies for the full JavaScript language, as well as tracking information in the presence of libraries, as provided by browser APIs. The interpreter is itself written in JavaScript, which enables deployment as a browser extension. Our experiments with the extension provide in-depth understanding of information manipulation by third-party scripts such as Google Analytics. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

[1]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[2]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[3]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[4]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[5]  Vinod Ganapathy,et al.  Analyzing Information Flow in JavaScript-Based Browser Extensions , 2009, 2009 Annual Computer Security Applications Conference.

[6]  Jonas Magazinius,et al.  A lattice-based approach to mashup security , 2010, ASIACCS '10.

[7]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[8]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[9]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Frank Piessens,et al.  JSand: complete client-side sandboxing of third-party JavaScript without browser modifications , 2012, ACSAC '12.

[11]  Zhou Li,et al.  Mash-IF: Practical information-flow control within client-side mashups , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[12]  Jonas Magazinius,et al.  Architectures for Inlining Security Monitors in Web Applications , 2014, ESSoS.

[13]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[15]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[16]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[17]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[18]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[19]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[20]  Alan Cleary,et al.  Information flow analysis for javascript , 2011, PLASTIC '11.

[21]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[22]  Marianne Winslett,et al.  Vetting browser extensions for security vulnerabilities with VEX , 2011, CACM.

[23]  Andrei Sabelfeld,et al.  Limiting information leakage in event-based communication , 2011, PLAS '11.

[24]  Deian Stefan,et al.  Toward Principled Browser Security , 2013, HotOS.

[25]  Wouter Joosen,et al.  Security of Web Mashups: A Survey , 2010, NordSec.

[26]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[27]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[28]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[30]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[31]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[32]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[33]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[34]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.