Information Flow Control in WebKit's JavaScript Bytecode

Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this paper, we develop, formalize and implement a dynamic IFC mechanism for the JavaScript engine of a production Web browser (specifically, Safari’s WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and hence leverages years of industrial effort on optimizing both the source to bytecode compiler and the bytecode interpreter. We track both explicit and implicit flows and observe only moderate overhead. Working with bytecode results in new challenges including the extensive use of unstructured control flow in bytecode (which complicates lowering of program context taints), unstructured exceptions (which complicate the matter further) and the need to make IFC analysis permissive. We explain how we address these challenges, formally model the JavaScript bytecode semantics and our instrumentation, prove the standard property of terminationinsensitive non-interference, and present experimental results on an optimized prototype.

[1]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[2]  Xiangyu Zhang,et al.  Efficient online detection of dynamic control dependence , 2007, ISSTA '07.

[3]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[4]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[5]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[6]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[7]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[8]  Vinod Ganapathy,et al.  Analyzing Information Flow in JavaScript-Based Browser Extensions , 2009, 2009 Annual Computer Security Applications Conference.

[9]  Alan Cleary,et al.  Information flow analysis for javascript , 2011, PLASTIC '11.

[10]  Jan Vitek,et al.  Automated construction of JavaScript benchmarks , 2011, OOPSLA '11.

[11]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[12]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[13]  Andy Podgurski,et al.  Algorithms and tool support for dynamic information flow analysis , 2009, Inf. Softw. Technol..

[14]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[15]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[16]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[17]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[18]  Christian Hammer Flexible access control for javascript , 2014, Software Engineering.

[19]  Joe Gibbs Politz,et al.  A tested semantics for getters, setters, and eval in JavaScript , 2012, DLS.

[20]  Robert E. Tarjan,et al.  A fast algorithm for finding dominators in a flowgraph , 1979, TOPL.

[21]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.

[22]  Patrick Eugster,et al.  Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications , 2013, OOPSLA.

[23]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[24]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[25]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[26]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[28]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[29]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[30]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[31]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[32]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[33]  Arthur Charguéraud,et al.  A trusted mechanised JavaScript specification , 2014, POPL.

[34]  G. Rothermel International Symposium on Software Testing and Analysis , 2013 .

[35]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.