Paper Info
Title
Information-flow security for JavaScript and its APIs.
Abstract
JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.
Year
DOI
Venue
2015
10.3233/JCS-160544
JOURNAL OF COMPUTER SECURITY
Keywords
Field
DocType
Web application security,JavaScript,information flow,reference monitoring,noninterference
World Wide Web,Web page,Computer science,Unobtrusive JavaScript,Web application security,Cross-site scripting,Web application,Rich Internet application,Content Security Policy,JavaScript
Journal
Volume
Issue
ISSN
24
2
0926-227X
Citations 
PageRank 
References 
12
0.54
7
Authors
3
Name
Order
Citations
PageRank
Daniel Hedin128511.91
Luciano Bello2993.26
Andrei Sabelfeld32692121.16