Information-flow security for a core of JavaScript

Proceedings of the Computer Security Foundations Workshop

Volumn , Issue , 2012, Pages 3-18

  Hedin, Daniel ^a   Sabelfeld, Andrei ^a  

^a CHALMERS UNIVERSITY OF TECHNOLOGY   (Sweden)

Author keywords

[No Author keywords available]

Indexed keywords

CODE EVALUATION; DOCUMENT OBJECT MODEL; DOCUMENT TREES; DYNAMIC LANGUAGES; DYNAMIC TYPE SYSTEMS; HIGHER-ORDER FUNCTIONS; INFORMATION FLOWS; JAVASCRIPT; LANGUAGE CONSTRUCTS;

HIGH LEVEL LANGUAGES; JAVA PROGRAMMING LANGUAGE; SECURITY SYSTEMS;

SECURITY OF DATA;

EID: 84866904012     PISSN: 10636900     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSF.2012.19     Document Type: Conference Paper

References (45)

1. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proc. IEEE Computer Security Foundations Symposium, July 2009.
2. T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2009.
3. T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2010.
4. T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. In Proc. ACM Symp. on Principles of Programming Languages, Jan. 2012.
5. A. Banerjee and D. A. Naumann. Stack-based access control and secure information flow. Journal of Functional Programming, 15(2):131-177, Mar. 2005.
6. N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non-interference for a browser model. In Proc. International Conference on Network and System Security (NSS), pages 97-104, Sept. 2011.
7. A. Birgisson, D. Hedin, and A. Sabelfeld. Boosting the permissiveness of dynamic information-flow tracking by testing. Draft, Apr. 2012.
8. A. Bohannon, B. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive noninterference. In ACM Conference on Computer and Communications Security, pages 79-90, Nov. 2009.
9. A. Bohannon and B. C. Pierce. Featherweight Firefox: Formalizing the core of a web browser. In Proc. USENIX Security Symposium, June 2010.
10. R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for javascript. In Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation, PLDI '09, New York, NY, USA, 2009. ACM.
11. E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297-335. Academic Press, 1978.
12. Coq. http://coq.inria.fr.
13. D. Crockford. Making javascript safe for advertising. ad-safe.org, 2009.
14. D. E. Denning. A lattice model of secure information flow. Comm. of the ACM, 19(5):236-243, May 1976.
15. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504-513, July 1977.
16. D. Devriese and F. Piessens. Non-interference through secure multi-execution. In Proc. IEEE Symp. on Security and Privacy, May 2010.
17. ECMA International. ECMAScript Language Specification, 1999. Version 3.
18. ECMA International. ECMAScript Language Specification, 2009. Version 5.
19. B. Eich. Flowsafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, Oct. 2009.
20. Facebook. FBJS. http://wiki.developers.facebook.com/index. php/FBJS, 2009.
21. J. S. Fenton. Memoryless subsystems. Computing J., 17(2):143-147, May 1974.
22. J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11-20, Apr. 1982.
23. S. Guarnieri and B. Livshits. Gatekeeper: mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the 18th conference on USENIX security symposium, SSYM'09, Berkeley, CA, USA, 2009. USENIX Association.
24. A. Guha, M. Fredrikson, B. Livshits, and N. Swamy. Verified security for browser extensions. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, Washington, DC, USA, 2011. IEEE Computer Society.
25. A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In European Conference on Object-Oriented Programming, June 2010.
26. D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. Full version, http://www.cse.chalmers.se/~utter/jsflow/jsflow-full. pdf.
27. A. L. Hors and P. L. Hegaret. Document Object Model Level 3 Core Specification. Technical report, The World Wide Web Consortium, 2004.
28. D. Jang, R. Jhala, S. Lerner, and H. Shacham. An empirical study of privacy-violating information flows in JavaScript web applications. In ACM Conference on Computer and Communications Security, pages 270-283, Oct. 2010.
29. S. Maffeis, J. C. Mitchell, and A. Taly. An operational semantics for JavaScript. In Proc. of APLAS'08, volume 5356 of LNCS, pages 307-325, 2008.
30. J. Magazinius, A. Russo, and A. Sabelfeld. On-the-fly inlining of dynamic security monitors. In Proceedings of the IFIP International Information Security Conference (SEC), Sept. 2010.
31. M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript, 2008.
32. A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nys-trom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.
33. F. Pottier and V. Simonet. Information flow inference for ML. ACM TOPLAS, 25(1):117-158, Jan. 2003.
34. W. Rafnsson and A. Sabelfeld. Limiting information leakage in event-based communication. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2011.
35. A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In Proc. IEEE Computer Security Foundations Symposium, July 2009.
36. A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE Computer Security Foundations Symposium, July 2010.
37. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In Proc. European Symp. on Research in Computer Security, LNCS. Springer-Verlag, Sept. 2009.
38. P. D. Ryck, M. Decat, L. Desmet, F. Piessens, and W. Joose. Security of web mashups: a survey. In Nordic Conference in Secure IT Systems, LNCS, 2010.
39. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5-19, Jan. 2003.
40. A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS. Springer-Verlag, June 2009.
41. A. Taly, U. Erlingsson, M. Miller, J. Mitchell, and J. Nagra. Automated analysis of security-critical JavaScript APIs. In Proc. IEEE Symp. on Security and Privacy, May 2011.
42. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. Network and Distributed System Security Symposium, Feb. 2007.
43. D. Volpano. Safety versus secrecy. In Proc. Symp. on Static Analysis, volume 1694 of LNCS, pages 303-311. SpringerVerlag, Sept. 1999.
44. D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167-187, 1996.
45. D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In Proc. ACM Symp. on Principles of Programming Languages, pages 237-249. ACM, 2007.