CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Information-flow security for JavaScript and its APIs

Daniel Hedin (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)) ; Luciano Bello (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)) ; Andrei Sabelfeld (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers))
Journal of Computer Security (0926227X). Vol. 24 (2016), 2, p. 181-234.
[Artikel, refereegranskad vetenskaplig]

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

Nyckelord: information flow; JavaScript; noninterference; reference monitoring; Web application security



Denna post skapades 2016-07-12.
CPL Pubid: 239286

 

Läs direkt!


Länk till annan sajt (kan kräva inloggning)


Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)

Ämnesområden

Programvaruteknik

Chalmers infrastruktur