Skip to main content

2017 | OriginalPaper | Buchkapitel

A Self-correcting Information Flow Control Model for the Web-Browser

verfasst von : Deepak Subramanian, Guillaume Hiet, Christophe Bidan

Erschienen in: Foundations and Practice of Security

Verlag: Springer International Publishing

Aktivieren Sie unsere intelligente Suche um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Web-browser security with emphasis on JavaScript security, is one of the important problems of the modern world. The potency of information flow control (IFC) in the context of JavaScript is quite appealing. In this paper, we adopt an earlier technique, Address Split Design (ASD), proposed by Deepak et al. [12]. We propose an alternate data-structure to the dictionaries used in ASD to keep track of secret variables. We also propose a novel approach to help track and learn from information flows. This learnt data can subsequently be used to create a more adaptive and effective IFC model. As the information about a function augments, potential leaks are also thwarted. Using such an approach, we show that more rigid security guarantees can be achieved eventually with increase in learnt data.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Literatur
1.
Zurück zum Zitat Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-Insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88313-5_22 CrossRef Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-Insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). doi:10.​1007/​978-3-540-88313-5_​22 CrossRef
2.
Zurück zum Zitat Austin, T.: Dynamic information flow analysis for Javascript in a web browser. Ph.D. thesis, University of California, Santa Cruz (2013) Austin, T.: Dynamic information flow analysis for Javascript in a web browser. Ph.D. thesis, University of California, Santa Cruz (2013)
3.
Zurück zum Zitat Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. ACM SIGPLAN Not. 44(8), 20 (2009)CrossRef Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. ACM SIGPLAN Not. 44(8), 20 (2009)CrossRef
4.
Zurück zum Zitat Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. Technical report, DTIC.MIL (1973) Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. Technical report, DTIC.MIL (1973)
5.
Zurück zum Zitat Biba, K.J.: Integrity Considerations for Secure Computer Systems. Technical report, The Mitre Corporation (1975) Biba, K.J.: Integrity Considerations for Secure Computer Systems. Technical report, The Mitre Corporation (1975)
6.
Zurück zum Zitat Bielova, N.: Survey on JavaScript security policies and their enforcement mechanisms in a web browser. J. Logic Algebraic Program. 82(8), 243–262 (2013)CrossRefMATH Bielova, N.: Survey on JavaScript security policies and their enforcement mechanisms in a web browser. J. Logic Algebraic Program. 82(8), 243–262 (2013)CrossRefMATH
7.
Zurück zum Zitat Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy, pp. 109–124 (2010) Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy, pp. 109–124 (2010)
8.
Zurück zum Zitat Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 748–759. ACM, Raleigh, North Carolina, USA (2012) Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 748–759. ACM, Raleigh, North Carolina, USA (2012)
9.
Zurück zum Zitat Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 3–18. IEEE, June 2012 Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 3–18. IEEE, June 2012
10.
Zurück zum Zitat Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: Exploring a new approach. In: 2011 IEEE Symposium on Security and Privacy, pp. 413–428. IEEE, May 2011 Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: Exploring a new approach. In: 2011 IEEE Symposium on Security and Privacy, pp. 413–428. IEEE, May 2011
11.
Zurück zum Zitat Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRef Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRef
12.
Zurück zum Zitat Subramanian, D., Hiet, G., Bidan, C.: Preventive information flow control through a mechanism of split addresses. In: 2016 ACM 9th International Conference on Security of Information and Networks. ACM, July 2016 Subramanian, D., Hiet, G., Bidan, C.: Preventive information flow control through a mechanism of split addresses. In: 2016 ACM 9th International Conference on Security of Information and Networks. ACM, July 2016
Metadaten
Titel
A Self-correcting Information Flow Control Model for the Web-Browser
verfasst von
Deepak Subramanian
Guillaume Hiet
Christophe Bidan
Copyright-Jahr
2017
DOI
https://doi.org/10.1007/978-3-319-51966-1_19