An empirical study of privacy-violating information flows in JavaScript web applications

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 270-283

  Jang, Dongseok ^a   Jhala, Ranjit ^a   Lerner, Sorin ^a   Shacham, Hovav ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Dynamic analysis; History sniffing; Information ow; JavaScript; Privacy; Rewriting; Web application; Web security

Indexed keywords

INFORMATION OW; JAVASCRIPT; PRIVACY; REWRITING; WEB APPLICATION; WEB SECURITY;

DYNAMIC ANALYSIS; HIGH LEVEL LANGUAGES; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 78649998785     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866339     Document Type: Conference Paper

References (32)

1. T. Amtoft and A. Banerjee. Information ow analysis in logical form. In R. Giacobazzi, editor, Proceedings of SAS 2004, volume 3148 of LNCS, pages 100-15. Springer-Verlag, Aug. 2004.
2. L. D. Baron. Preventing attacks on a user's history through CSS :visited selectors, Apr. 2010. Online: http://dbaron.org/mozilla/visited-privacy.
3. Bugzilla@Mozilla. Bug 147777 - :visited support allows queries into global history, May 2002. Online: https://bugzilla.mozilla.org/show-bug.cgi?id= 147777.
4. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In M. Blaze, editor, Proceedings of USENIX Security 2004, pages 321-36. USENIX, Aug.2004.
5. A. Chudnov and D. A. Naumann. Information ow monitor inlining. In M. Backes and A. Myers, editors, Proceedings of CSF 2010. IEEE Computer Society, July 2010.
6. A. Clover. Timing attacks on Web privacy. Online: 5GP020A6LG. http://www.securiteam.com/securityreviews/, Feb. 2002.
7. D. E. Denning. A lattice model of secure information ow. Commun. ACM, 19(5):236-243, 1976.
8. M. Dhawan and V. Ganapathy. Analyzing information ow in JavaScript-based browser extensions. In C. Payne and M. Franz, editors, Proceedings of ACSAC 2009, pages 382-91. IEEE Computer Society, Dec. 2009.
9. E. W. Felten and M. A. Schneider. Timing attacks on Web privacy. In S. Jajodia, editor, Proceedings of CCS 2000, pages 25-32. ACM Press, Nov. 2000.
10. D. Flannagan. JavaScript: The Definitive Guide. O'Reilly, fifth edition, Aug. 2006.
11. J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of IEEE Security and Privacy ("Oakland") 1982, pages 11-20. EEE Computer Society, Apr. 1982.
12. C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from Web privacy attacks. In C. Goble and M. Dahlin, editors, Proceedings of WWW 2006, pages 737-44. ACM Press, May 2006.
13. M. Jakobsson and S. Stamm. Invasive browser sniffing and countermeasures. In C. Goble and M. Dahlin, editors, Proceedings of WWW 2006, pages 523-32. ACM Press, May 2006.
14. A. Janc and L. Olejnik. Feasibility and real-world implications of Web browser history detection. In C. Jackson, editor, Proceedings of W2SP 2010. IEEE Computer Society, May 2010.
15. D. Jang, R. Jhala, S. Lerner, and H. Shacham. Rewriting-based dynamic information ow for JavaScript. Technical report, University of California, San Diego, Jan. 2010. Online: http://pho.ucsd.edu/rjhala/dif.pdf.
16. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In P. Patel-Schneider and P. Shenoy, editors, Proceedings of WWW 2007, pages 601-10. ACM Press, May 2007.
17. H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov. JavaScript instrumentation in practice. In G. Ramalingam, editor, Proceedings of APLAS 2008, volume 5356 of LNCS, pages 326-41. Springer-Verlag, Dec. 2008.
18. M. S. Lam, M. Martin, V. B. Livshits, and J. Whaley. Securing Web applications with static and dynamic information ow tracking. In R. Glück and O. de Moor, editors, Proceedings of PEPM 2008, pages 3-12. ACM Press, Jan. 2008.
19. J. Magazinius, A. Russo, and A. Sabelfeld. On-the-y inlining of dynamic security monitors. In K. Rannenberg and V. Varadharajan, editors, Proceedings of SEC 2010, Sept. 2010.
20. L. A. Meyerovich and V. B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Proceedings of IEEE Security and Privacy ("Oakland") 2010, pages 481-496. IEEE Computer Society, 2010.
21. A. C. Myers. Programming with explicit security policies. In M. Sagiv, editor, Proceedings of ESOP 2005, volume 3444 of LNCS, pages 1-4. Springer-Verlag, Apr. 2005.
22. J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In D. Boneh and D. Simon, editors, Proceedings of NDSS 2005. ISOC, Feb. 2005.
23. F. Pottier and V. Simonet. Information ow inference for ML. In J. C. Mitchell, editor, Proceedings of POPL 2002, pages 319-330. ACM Press, Jan. 2002.
24. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of Web-based malware. In N. Provos, editor, Proceedings of HotBots 2007. USENIX, Apr. 2007.
25. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information ow in dynamic tree structures. In M. Backes and P. Ning, editors, Proceedings of ESORICS 2009, volume 5789 of LNCS, pages 86-103. Springer-Verlag, Sept. 2009.
26. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In D. Wallach, editor, Proceedings of USENIX Security 2001, pages 201-17. USENIX, Aug. 2001.
27. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information ow tracking. In K. McKinley, editor, Proceedings of ASPLOS 2004, pages 85-96. ACM Press, Oct. 2004.
28. T. Terauchi and A. Aiken. Secure information ow as a safety problem. In C. Hankin, editor, Proceedings of SAS 2005, volume 3672 of LNCS, pages 352-67. Springer-Verlag, Sept. 2005.
29. N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An architectural framework for user-centric information-ow security. In A. González and J. P. Shen, editors, Proceedings of MICRO 2004, pages 243-54. IEEE Computer Society, Dec. 2004.
30. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krügel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In W. Arbaugh and C. Cowan, editors, Proceedings of NDSS 2007. ISOC, Feb. 2007.
31. D. Volpano and G. Smith. Verifying secrets and relative secrecy. In T. Reps, editor, Proceedings of POPL 2000, pages 268-76. ACM Press, Jan. 2000.
32. D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In M. Felleisen, editor, Proceedings of POPL 2007, pages 237-49. ACM Press, Jan. 2007.