Staged information flow for JavaScript

Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)

Volumn , Issue , 2009, Pages 50-62

  Chugh, Ravi ^a   Meister, Jeffrey A ^a   Jhala, Ranjit ^a   Lerner, Sorin ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Confidentiality; Flow analysis; Integrity; Set constraints; Web applications

Indexed keywords

FLEXIBLE DYNAMICS; FLOW ANALYSIS; INFORMATION FLOWS; JAVASCRIPT; REAL-WORLD; RUNTIMES; SCRIPTING LANGUAGES; SECURITY PROPERTIES; SENSITIVE INFORMATIONS; SET CONSTRAINTS; STATIC INFORMATION; SYSTEM'S PERFORMANCE; WEB APPLICATION;

C (PROGRAMMING LANGUAGE); COMPUTER SOFTWARE; EMBEDDED SYSTEMS; LINGUISTICS; PULSATILE FLOW; WORLD WIDE WEB;

JAVA PROGRAMMING LANGUAGE;

EID: 70450253203     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1542476.1542483     Document Type: Conference Paper

References (37)

1. English: Alexa top 100 sites, November 2008. http://www.alexa.com/.
2. Google web toolkit, November 2008. http://code.google.com/webtoolkit/.
3. Jsure, November 2008. http://www.jsure.org/.
4. Volta, November 2008. http://live.labs.com/volta.
5. T. Amtoft and A. Banerjee. Information flow analysis in logical form. In SAS, pages 100-115, 2004.
6. C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for javascript. In ECOOP, pages 428-452, 2005.
7. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web application via automatic partitioning. In SOSP, pages 31-44, 2007.
8. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In USENIX Security Symposium, pages 321-336, 2004.
9. P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the asbestos operating system. In SOSP. ACM, 2005.
10. M. Fähndrich and A. Aiken. Program analysis using mixed term and set constraints. In SAS, pages 114-126, 1997.
11. M. Fähndrich, J. S. Foster, A. Aiken, and J. Cu. Tracking down exceptions in standard ml programs. Technical report, EECS Department, UC Berkeley, 1998.
12. C. Flanagan and M. Felleisen. Componential set-based analysis. ACM Trans. Program. Lang. Syst., 21(2):370-416, 1999.
13. J. S. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In PLDI. ACM, 1999.
14. J. S. Foster, M. Fähndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for c. In SAS, 2000.
15. J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11-20, 1982.
16. B. Hardekopf and C. Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In PLDI, 2007.
17. D. Herman and C. Flanagan. Status report: specifying javascript with ml. In ML, pages 47-52, 2007.
18. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW, 2007.
19. N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, 2006.
20. J. Kodumal and A. Aiken. Banshee: A scalable constraint-based analysis toolkit. In SAS, pages 218-234, 2005.
21. M. S. Lam, M. Martin, V. B. Livshits, and J. Whaley. Securing web applications with static and dynamic information flow tracking. In PEPM, pages 3-12, 2008.
22. B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. Technical Report MSR-TR-2009-16, Microsoft Research, Feb. 2009.
23. A. C. Myers. Programming with explicit security policies. In ESOP, pages 1-4, 2005.
24. J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.
25. F. Pottier and V. Simonet. Information flow inference for ml. In POPL, pages 319-330, 2002.
26. P. Pratikakis, J. S. Foster, and M. Hicks. Locksmith: context-sensitive correlation analysis for race detection. In PLDI. ACM, 2006.
27. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots, 2007.
28. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security, 2001.
29. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, 2004.
30. T. Terauchi and A. Aiken. Secure information flow as a safety problem. In SAS, pages 352-367, 2005.
31. P. Thiemann. Towards a type system for analyzing javascript programs. In ESOP, pages 408-422, 2005.
32. N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user-centric information-flow security. In MICRO, 2004.
33. D. Volpano and G. Smith. Verifying secrets and relative secrecy. In POPL, 2000.
34. G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, pages 171-180, 2008.
35. Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. In POPL, pages 351-363, 2005.
36. D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In POPL, pages 237-249, 2007.
37. N. Zeldovich, S. Boyd-Wickizer, and D. Mazières. Securing distributed systems with information flow control. In NSDI, 2008.