Abstract | ||
---|---|---|
JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties. |
Year | DOI | Venue |
---|---|---|
2015 | 10.3233/JCS-160544 | JOURNAL OF COMPUTER SECURITY |
Keywords | Field | DocType |
Web application security,JavaScript,information flow,reference monitoring,noninterference | World Wide Web,Web page,Computer science,Unobtrusive JavaScript,Web application security,Cross-site scripting,Web application,Rich Internet application,Content Security Policy,JavaScript | Journal |
Volume | Issue | ISSN |
24 | 2 | 0926-227X |
Citations | PageRank | References |
12 | 0.54 | 7 |
Authors | ||
3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Daniel Hedin | 1 | 285 | 11.91 |
Luciano Bello | 2 | 99 | 3.26 |
Andrei Sabelfeld | 3 | 2692 | 121.16 |