Abstract
JavaScript is the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. Information flow controls help prevent violations of data confidentiality and integrity.
This article explores faceted values, a mechanism for providing information flow security in a dynamic manner that avoids the stuck executions of some prior approaches, such as the no-sensitive-upgrade technique. Faceted values simultaneously simulate multiple executions for different security levels to guarantee termination-insensitive noninterference. We also explore the interaction of faceted values with exceptions, declassification, and clearance.
- Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-insensitive noninterference leaks more than just a bit. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’08). Springer-Verlag, 333--348. Google ScholarDigital Library
- Aslan Askarov and Andrew Myers. 2010. A semantic framework for declassification and endorsement. In Proceedings of the European Symposium on Programming. 64--84. Google ScholarDigital Library
- Aslan Askarov and Andrei Sabelfeld. 2009a. Catch me if you can: Permissive yet secure error handling. In Proceedings of the ACM SIGPLAN 4th Workshop on Programming Languages and Analysis for Security (PLAS’09). ACM, New York, NY, 45--57. Google ScholarDigital Library
- Aslan Askarov and Andrei Sabelfeld. 2009b. Tight enforcement of information-release policies for dynamic languages. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society, Washington, DC, 43--59. Google ScholarDigital Library
- Thomas H. Austin. 2011. ZaphodFacetes github page. Retreived from https://github.com/taustin/ZaphodFacets.Google Scholar
- Thomas H. Austin and Cormac Flanagan. 2009. Efficient purely-dynamic information flow analysis. In Proceedings of the Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
- Thomas H. Austin and Cormac Flanagan. 2010. Permissive dynamic information flow analysis. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security. ACM, 1--12. Google ScholarDigital Library
- Thomas H. Austin and Cormac Flanagan. 2012. Multiple facets for dynamic information flow, See Field and Hicks {2012}, 165--178. Google ScholarDigital Library
- Thomas H. Austin, Jean Yang, Cormac Flanagan, and Armando Solar-Lezama. 2013. Faceted execution of policy-agnostic programs. In Proceedings of the Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
- Anindya Banerjee and David A. Naumann. 2002. Secure information flow and pointer confinement in a Java-like language. In Proceedings of the IEEE Computer Security Foundations Workshop. 253--267. Google ScholarDigital Library
- Abhishek Bichhawat, Vineet Rajani, Deepak Garg, and Christian Hammer. 2014. Generalizing permissive-upgrade in dynamic information flow analysis. In Proceedings of the Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
- Arnar Birgisson, Alejandro Russo, and Andrei Sabelfeld. 2011. Capabilities for information flow. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS’11). ACM. Google ScholarDigital Library
- Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. 2009. Reactive noninterference. In Proceedings of the ACM Conference on Computer and Communications Security. 79--90. Google ScholarDigital Library
- R. Capizzi, A. Longo, V. N. Venkatakrishnan, and A. P. Sistla. 2008. Preventing information leaks through shadow executions. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’08). 322--331. Google ScholarDigital Library
- Stephen Chong and Andrew C. Myers. 2004. Security policies for downgrading. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04). ACM, New York, NY, 198--209. Google ScholarDigital Library
- Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. 2009. Staged information flow for JavaScript. In Proceedings of the Conference on Programming Language Design and Implementation. Google ScholarDigital Library
- Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: A web browser with flexible and precise information flow control. In Proceedings of the ACM Conference on Computer and Communications Security, Ting Yu, George Danezis, and Virgil D. Gligor (Eds.). ACM, 748--759. Google ScholarDigital Library
- Dorothy E. Denning. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (1976), 236--243. Google ScholarDigital Library
- Dominique Devriese and Frank Piessens. 2010. Noninterference through secure multi-execution. Proceedings of the IEEE Symposium on Security and Privacy. 109--124. Google ScholarDigital Library
- Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing information flow in JavaScript-based browser extensions. In Proceedings of the Annual Computer Security Applications Conference. Google ScholarDigital Library
- Brendan Eich. 2004. Narcissus--JS implemented in JS. (2004). Retrieved from https://github.com/mozilla/narcissus/.Google Scholar
- J. S. Fenton. 1974. Memoryless subsystems. Comput. J. 17, 2 (1974), 143--147. Google ScholarCross Ref
- John Field and Michael Hicks (Eds.). 2012. Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’12). ACM. Google ScholarCross Ref
- Andreas Gal, David Flanagan, and Donovon Preston. 2011. dom.js github page. Retrieved October 2011 from https://github.com/andreasgal/dom.js.Google Scholar
- Andreas Gampe and Jeffery von Ronne. 2011. Information flow control with errors. In Proceedings of the International Workshop on Foundations of Object-Oriented Languages (FOOL’11).Google Scholar
- Gurvan Le Guernic, Anindya Banerjee, Thomas P. Jensen, and David A. Schmidt. 2006. Automata-based confidentiality monitoring. In Proceedings of the Asian Computing Science Conference on Secure Software. Google ScholarDigital Library
- Christian Hammer and Gregor Snelting. 2009. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec. 8, 6 (2009), 399--422. Google ScholarDigital Library
- Daniel Hedin, Luciano Bello, and Andrei Sabelfeld. 2015. Value-sensitive hybrid information flow control for a JavaScript-like language. In Proceedings of the IEEE 28th Computer Security Foundations Symposium (CSF 2015). IEEE, 351--365. Google ScholarDigital Library
- Daniel Hedin and Andrei Sabelfeld. 2012. Information-flow security for a core of JavaScript. In Proceedings of the Computer Security Foundations Symposium. Google ScholarDigital Library
- Nevin Heintze and Jon G. Riecke. 1998. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the Symposium on Principles of Programming Languages. Google ScholarDigital Library
- Catalin Hritcu, Michael Greenberg, Ben Karel, Benjamin C. Pierce, and Greg Morrisett. 2013. All your IFCException are belong to us. In Proceedings of the IEEE Symposium on Security and Privacy. 3--17. Google ScholarDigital Library
- Sebastian Hunt and David Sands. 2006. On flow-sensitive security types. In Proceedings of the Principles of Programming Languages (POPL’06). 79--90. Google ScholarDigital Library
- Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2010. An empirical study of privacy-violating information flows in JavaScript web applications. In Proceedings of the ACM Conference on Computer and Communications Security. 270--283. Google ScholarDigital Library
- Jif 2010. Jif homepage. Retrieved October 2010 from http://www.cs.cornell.edu/jif/.Google Scholar
- Seth Just, Alan Cleary, Brandon Shirley, and Christian Hammer. 2011. Information flow analysis for javascript. In Proceedings of the Programming Language and Systems Technologies for Internet Clients. ACM, New York, NY, 9--18. Google ScholarDigital Library
- Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf. 2011. Timing- and termination-sensitive secure information flow: Exploring a new approach. In Proceedings of IEEE Security and Privacy. Google ScholarDigital Library
- Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013b. Information Flow Tracking meets Just-In-Time Compilation. (2013). (submitted)Google Scholar
- Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013a. Towards precise and efficient information flow control in web browsers. In Proceedings of Trust and Trustworthy Computing. 187--195. Google ScholarCross Ref
- Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. 2008. Implicit flows: Can’t live with’em, can’t live without’em. In Proceedings of the International Conference on Information Systems Security. 56--70. Google ScholarDigital Library
- James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394. Google ScholarDigital Library
- Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. 2011. Rozzle: De-Cloaking Internet Malware. Technical Report MSR-TR-2011-94. Microsoft Research Technical Report.Google Scholar
- Scott Moore, Aslan Askarov, and Stephen Chong. 2012. Precise enforcement of progress-sensitive security. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, 881--893. Google ScholarDigital Library
- Mozilla Labs Zaphod 2010. Mozilla Labs: Zaphod add-on for the Firefox browser. Retrieved October 2010 from http://mozillalabs.com/zaphod.Google Scholar
- Andrew C. Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the Symposium on Principles of Programming Languages. Google ScholarDigital Library
- Andrew C. Myers, Andrei Sabelfeld, and Steve Zdancewic. 2004. Enforcing robust declassification. In Proceedings of the IEEE Computer Security Foundations Workshop. 172--186. Google ScholarDigital Library
- François Pottier and Vincent Simonet. 2003. Information flow inference for ML. Trans. Program. Lang. Syst. 25, 1 (2003), 117--158. Google ScholarDigital Library
- Willard Rafnsson and Andrei Sabelfeld. 2011. Limiting information leakage in event-based communication. In Proceedings of the ACM SIGPLAN 4th Workshop on Programming Languages and Analysis for Security (PLAS’11). ACM. Google ScholarDigital Library
- Willard Rafnsson and Andrei Sabelfeld. 2013. Secure multi-execution: Fine-grained, declassification-aware, and transparent. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society. Google ScholarDigital Library
- V. Rajani, A. Bichhawat, D. Garg, and C. Hammer. 2015. Information flow control for event handling and the DOM in web browsers. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium (CSF’15). 366--379. Google ScholarDigital Library
- Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel M. Roy, Tudor Leu, and William S. Beebee. 2004. Enhancing server availability and security through failure-oblivious computing. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI’04). 303--316. Google ScholarDigital Library
- Alejandro Russo and Andrei Sabelfeld. 2009. Securing timeout instructions in web applications. In Proceedings of the IEEE Computer Security Foundations Symposium. Google ScholarDigital Library
- Alejandro Russo and Andrei Sabelfeld. 2010. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society. Google ScholarDigital Library
- Alejandro Russo, Andrei Sabelfeld, and Andrey Chudnov. 2009. Tracking information flow in dynamic tree structures. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’09). 86--103. Google ScholarDigital Library
- Andrei Sabelfeld and Andrew C. Myers. 2003. Language-based information-flow security. J. Select. Areas Commun. 21, 1 (2003), 5--19. Google ScholarDigital Library
- Paritosh Shroff, Scott F. Smith, and Mark Thober. 2007. Dynamic dependency monitoring to secure information flow. In Proceedings of the Computer Security Foundations Symposium. Google ScholarDigital Library
- Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011. Flexible dynamic information flow control in Haskell. In Proceedings of the 4th ACM Symposium on Haskell (Haskell’11). ACM, New York, NY, 95--106. Google ScholarDigital Library
- M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, and T. Rezk. 2014. Stateful declassification policies for event-driven programs. In Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium (CSF’14). 293--307. Google ScholarDigital Library
- Jeffrey Vaughan and Stephen Chong. 2011. Inference of expressive declassification policies. In Proceedings of IEEE Security and Privacy. Google ScholarDigital Library
- Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis.Google Scholar
- Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. J. Comput. Secur. 4, 2--3 (1996), 167--187. Google ScholarDigital Library
- Webkit.org. 2011. SunSpider JavaScript Benchmark. Retrieved October 2011 from http://www.webkit.org/perf/sunspider/sunspider.html.Google Scholar
- Jean Yang, Kuat Yessenov, and Armando Solar-Lezama. 2012. A language for automatically enforcing privacy policies, See Field and Hicks {2012}, 85--96. Google ScholarDigital Library
- Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. In Proceedings of the Symposium on Operating Systems Principles (SOSP’09), Jeanna Neefe Matthews and Thomas E. Anderson (Eds.). ACM, 291--304. Google ScholarDigital Library
- Dante Zanarini, Mauro Jaskelioff, and Alejandro Russo. 2013. Precise enforcement of confidentiality for reactive systems. In Proceedings of the Computer Security Foundations Symposium. Google ScholarDigital Library
- Steve Zdancewic. 2003. A type system for robust declassification. In Proceedings of the 19th Mathematical Foundations of Programming Semantics Conference. Google ScholarDigital Library
- Stephan Arthur Zdancewic. 2002. Programming Languages for Information Security. Ph.D. Dissertation. Cornell University.Google ScholarDigital Library
Index Terms
- Multiple Facets for Dynamic Information Flow with Exceptions
Recommendations
Multiple facets for dynamic information flow
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesJavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources ...
Multiple facets for dynamic information flow
POPL '12JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources ...
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityNoninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...
Comments