ABSTRACT
Modern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm in such websites is to include third-party JavaScript code in the form of libraries or advertisements. If this code were malicious, it could read sensitive information from the page or write to the location bar, thus redirecting the user to a malicious page, from which the entire machine could be compromised. We present an information-flow based approach for inferring the effects that a piece of JavaScript has on the website in order to ensure that key security properties are not violated. To handle dynamically loaded and generated JavaScript, we propose a framework for staging information flow properties. Our framework propagates information flow through the currently known code in order to compute a minimal set of syntactic residual checks that are performed on the remaining code when it is dynamically loaded. We have implemented a prototype framework for staging information flow. We describe our techniques for handling some difficult features of JavaScript and evaluate our system's performance on a variety of large real-world websites. Our experiments show that static information flow is feasible and efficient for JavaScript, and that our technique allows the enforcement of information-flow policies with almost no run-time overhead.
- English: Alexa top 100 sites, November 2008. http://www.alexa.com.Google Scholar
- Google web toolkit, November 2008. http://code.google.com/webtoolkit/.Google Scholar
- Jsure, November 2008. http://www.jsure.org/.Google Scholar
- Volta, November 2008. http://live.labs.com/volta.Google Scholar
- T. Amtoft and A. Banerjee. Information flow analysis in logical form. In SAS, pages 100--115, 2004.Google ScholarCross Ref
- C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for javascript. In ECOOP, pages 428--452, 2005. Google ScholarDigital Library
- S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web application via automatic partitioning. In SOSP, pages 31--44, 2007. Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In USENIX Security Symposium, pages 321--336, 2004. Google ScholarDigital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the asbestos operating system. In SOSP. ACM, 2005. Google ScholarDigital Library
- M. Fähndrich and A. Aiken. Program analysis using mixed term and set constraints. In SAS, pages 114--126, 1997. Google ScholarDigital Library
- M. Fähndrich, J. S. Foster, A. Aiken, and J. Cu. Tracking down exceptions in standard ml programs. Technical report, EECS Department, UC Berkeley, 1998. Google ScholarDigital Library
- C. Flanagan and M. Felleisen. Componential set-based analysis. ACM Trans. Program. Lang. Syst., 21(2):370--416, 1999. Google ScholarDigital Library
- J. S. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In PLDI. ACM, 1999. Google ScholarDigital Library
- J. S. Foster, M. Fähndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for c. In SAS, 2000. Google ScholarDigital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11--20, 1982.Google ScholarCross Ref
- B. Hardekopf and C. Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In PLDI, 2007. Google ScholarDigital Library
- D. Herman and C. Flanagan. Status report: specifying javascript with ml. In ML, pages 47--52, 2007. Google ScholarDigital Library
- T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW, 2007. Google ScholarDigital Library
- N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- J. Kodumal and A. Aiken. Banshee: A scalable constraint-based analysis toolkit. In SAS, pages 218--234, 2005. Google ScholarDigital Library
- M. S. Lam, M. Martin, V. B. Livshits, and J. Whaley. Securing web applications with static and dynamic information flow tracking. In PEPM, pages 3--12, 2008. Google ScholarDigital Library
- B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. Technical Report MSR-TR-2009-16, Microsoft Research, Feb. 2009.Google Scholar
- A. C. Myers. Programming with explicit security policies. In ESOP, pages 1--4, 2005. Google ScholarDigital Library
- J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google Scholar
- F. Pottier and V. Simonet. Information flow inference for ml. In POPL, pages 319--330, 2002. Google ScholarDigital Library
- P. Pratikakis, J. S. Foster, and M. Hicks. Locksmith: context-sensitive correlation analysis for race detection. In PLDI. ACM, 2006. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots, 2007. Google ScholarDigital Library
- U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security, 2001. Google ScholarDigital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, 2004. Google ScholarDigital Library
- T. Terauchi and A. Aiken. Secure information flow as a safety problem. In SAS, pages 352---367, 2005. Google ScholarDigital Library
- P. Thiemann. Towards a type system for analyzing javascript programs. In ESOP, pages 408--422, 2005. Google ScholarDigital Library
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user--centric information--flow security. In MICRO, 2004. Google ScholarDigital Library
- D. Volpano and G. Smith. Verifying secrets and relative secrecy. In POPL, 2000. Google ScholarDigital Library
- G. Wassermann and Z. Su. Static detection of cross--site scripting vulnerabilities. In ICSE, pages 171---180, 2008. Google ScholarDigital Library
- Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. In POPL, pages 351---363, 2005. Google ScholarDigital Library
- D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In POPL, pages 237---249, 2007. Google ScholarDigital Library
- N. Zeldovich, S. Boyd--Wickizer, and D. Mazières. Securing distributed systems with information flow control. In NSDI, 2008. Google ScholarDigital Library
Index Terms
- Staged information flow for javascript
Recommendations
Staged information flow for javascript
PLDI '09Modern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm in such websites is to include third-party JavaScript code in the form of libraries or advertisements. If this code were ...
Comments