Information-flow security for Java']JavaScript and its APIs

被引:13
作者
Hedin, Daniel [1 ,2 ]
Bello, Luciano [1 ]
Sabelfeld, Andrei [1 ]
机构
[1] Chalmers Univ Technol, Dept Comp Sci & Engn, Rannvagen 6B, S-41296 Gothenburg, Sweden
[2] Malardalen Univ, Sch Innovat Design & Engn, Box 883, S-72123 Vasteras, Sweden
关键词
Web application security; !text type='Java']Java[!/text]Script; information flow; reference monitoring; noninterference;
D O I
10.3233/JCS-160544
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.
引用
收藏
页码:181 / 234
页数:54
相关论文
共 50 条
[41]   Compositional information flow security for concurrent programs [J].
Bossi, Annalisa ;
Piazza, Carla ;
Rossi, Sabina .
JOURNAL OF COMPUTER SECURITY, 2007, 15 (03) :373-416
[42]   The complexity of synchronous notions of information flow security [J].
Cassez, Franck ;
van der Meyden, Ron ;
Zhang, Chenyi .
THEORETICAL COMPUTER SCIENCE, 2016, 631 :16-42
[43]   Security of information flow in the electric power grid [J].
Tang, Han ;
McMillin, Bruce .
CRITICAL INFRASTRUCTURE PROTE CTION, 2008, 253 :43-+
[44]   ENCOVER: Symbolic Exploration for Information Flow Security [J].
Balliu, Musard ;
Dam, Mads ;
Le Guernic, Gurvan .
2012 IEEE 25TH COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF), 2012, :30-44
[45]   Checking secure information flow in Java']Java bytecode by code transformation and standard bytecode verification [J].
Bernardeschi, C ;
De Francesco, N ;
Lettieri, G ;
Martini, L .
SOFTWARE-PRACTICE & EXPERIENCE, 2004, 34 (13) :1225-1255
[46]   Information flow query and verification for security policy of Security-Enhanced Linux [J].
Chen, Yi-Ming ;
Kao, Yung-Wei .
ADVANCES IN INFORMATION AND COMPUTER SECURITY, PROCEEDINGS, 2006, 4266 :389-404
[47]   VERONICA: Expressive and Precise Concurrent Information Flow Security [J].
Schoepe, Daniel ;
Murray, Toby ;
Sabelfeld, Andrei .
2020 IEEE 33RD COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF 2020), 2020, :79-94
[48]   Analyzing fuzziness in product quality & reliability information-flow during time-driven product-development-process [J].
Lu, Y ;
Brombacher, AC ;
Den Ouden, E ;
Körvers, PMW .
ANNUAL RELIABILITY AND MAINTAINABILITY SYMPOSIUM, 2002 PROCEEDINGS, 2002, :496-502
[49]   Towards Scalable Defense of Information Flow Security for Distributed Systems [J].
Fu, Xiaoqin .
PROCEEDINGS OF THE 28TH ACM SIGSOFT INTERNATIONAL SYMPOSIUM ON SOFTWARE TESTING AND ANALYSIS (ISSTA '19), 2019, :438-442
[50]   Colored Petri Nets Based Modeling of Information Flow Security [J].
Wu, Ruoyu ;
Li, Weiguo ;
Huang, He .
WKDD: 2009 SECOND INTERNATIONAL WORKSHOP ON KNOWLEDGE DISCOVERY AND DATA MINING, PROCEEDINGS, 2009, :681-684