Abstract
JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. We implement information flow controls in Firefox to help prevent violations of data confidentiality and integrity. Most previous information flow techniques have primarily relied on either static type systems, which are a poor fit for JavaScript, or on dynamic analyses that sometimes get stuck due to problematic implicit flows, even in situations where the target web application correctly satisfies the desired security policy. We introduce faceted values, a new mechanism for providing information flow security in a dynamic manner that overcomes these limitations. Taking inspiration from secure multi-execution, we use faceted values to simultaneously and efficiently simulate multiple executions for different security levels, thus providing non-interference with minimal overhead, and without the reliance on the stuck executions of prior dynamic approaches.
Supplemental Material
Available for Download
Supplemental proofs are included in SupplementalProofs.pdf
- Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. Termination-insensitive noninterference leaks more than just a bit. In ESORICS '08, pages 333--348. Springer-Verlag, 2008. Google ScholarDigital Library
- Aslan Askarov and Andrew Myers. A semantic framework for declassification and endorsement. In ESOP, pages 64--84, 2010. Google ScholarDigital Library
- Aslan Askarov and Andrei Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In IEEE Computer Security Foundations Symposium, pages 43--59, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
- Thomas H. Austin. ZaphodFacetes github page. https://github.com/taustin/ZaphodFacets, 2011.Google Scholar
- Thomas H. Austin and Cormac Flanagan. Efficient purely-dynamic information flow analysis. In PLAS '09: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pages 113--124, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- Thomas H. Austin and Cormac Flanagan. Permissive dynamic information flow analysis. In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 1--12. ACM, 2010. Google ScholarDigital Library
- Arnar Birgisson, Alejandro Russo, and Andrei Sabelfeld. Capabilities for information flow. In PLAS '11: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security. ACM, 2011. Google ScholarDigital Library
- Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. Reactive noninterference. In ACM Conference on Computer and Communications Security, pages 79--90, 2009. Google ScholarDigital Library
- R. Capizzi, A. Longo, V.N. Venkatakrishnan, and A.P. Sistla. Preventing information leaks through shadow executions. In ACSAC, pages 322 --331, dec 2008. Google ScholarDigital Library
- Stephen Chong and Andrew C. Myers. Security policies for downgrading. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 198--209, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for javascript. In PLDI, pages 50--62, 2009. Google ScholarDigital Library
- Dorothy E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976. Google ScholarDigital Library
- Dominique Devriese and Frank Piessens. Noninterference through secure multi-execution. Security and Privacy, IEEE Symposium on, 0:109--124, 2010. Google ScholarDigital Library
- Mohan Dhawan and Vinod Ganapathy. Analyzing information flow in javascript-based browser extensions. In ACSAC, pages 382--391, 2009. Google ScholarDigital Library
- Brendan Eich. Narcissus--JS implemented in JS. Available on the web at https://github.com/mozilla/narcissus/.Google Scholar
- J. S. Fenton. Memoryless subsystems. The Computer Journal, 17(2):143--147, 1974.Google ScholarCross Ref
- Andreas Gal, David Flanagan, and Donovon Preston. dom.js github page. https://github.com/andreasgal/dom.js, accessed October 2011, 2011.Google Scholar
- Gurvan Le Guernic, Anindya Banerjee, Thomas P. Jensen, and David A. Schmidt. Automata-based confidentiality monitoring. In ASIAN, pages 75--89, 2006. Google ScholarDigital Library
- Nevin Heintze and Jon G. Riecke. The SLam calculus: Programming with secrecy and integrity. In Symposium on Principles of Programming Languages, pages 365--377, 1998. Google ScholarDigital Library
- Sebastian Hunt and David Sands. On flow-sensitive security types. In POPL, pages 79--90, 2006. Google ScholarDigital Library
- Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. An empirical study of privacy-violating information flows in javascript web applications. In ACM Conference on Computer and Communications Security, pages 270--283, 2010. Google ScholarDigital Library
- Jif homepage. http://www.cs.cornell.edu/jif/, accessed October 2010.Google Scholar
- Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf. Timing- and termination-sensitive secure information flow: Exploring a new approach. In IEEE Security and Privacy, 2011. Google ScholarDigital Library
- Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. Implicit flows: Can't live with 'em, can't live without 'em. In International Conference on Information Systems Security, pages 56--70, 2008. Google ScholarDigital Library
- Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. Rozzle: De-cloaking internet malware. Technical Report MSR-TR-2011--94, Microsoft Research Technical Report, 20011.Google Scholar
- Mozilla labs: Zaphod add-on for the firefox browser. http://mozillalabs.com/zaphod, accessed October 2010.Google Scholar
- Andrew C. Myers. JFlow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, pages 228--241, 1999. Google ScholarDigital Library
- François Pottier and Vincent Simonet. Information flow inference for ML. Transactions on Programming Languages and Systems, 25(1):117--158, 2003. Google ScholarDigital Library
- Willard Rafnsson and Andrei Sabelfeld. Limiting information leakage in event-based communication. In PLAS '11: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security. ACM, 2011. Google ScholarDigital Library
- Alejandro Russo and Andrei Sabelfeld. Securing timeout instructions in web applications. In IEEE Computer Security Foundations Symposium, 2009. Google ScholarDigital Library
- Alejandro Russo and Andrei Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2010. Google ScholarDigital Library
- Alejandro Russo, Andrei Sabelfeld, and Andrey Chudnov. Tracking information flow in dynamic tree structures. In ESORICS, pages 86--103, 2009. Google ScholarDigital Library
- Andrei Sabelfeld and Andrew C. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, 21(1):5--19, Jan 2003. Google ScholarDigital Library
- Paritosh Shroff, Scott F. Smith, and Mark Thober. Dynamic dependency monitoring to secure information flow. In CSF, pages 203--217, 2007. Google ScholarDigital Library
- Jeffrey Vaughan and Stephen Chong. Inference of expressive declassification policies. In IEEE Security and Privacy, 2011. Google ScholarDigital Library
- Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007.Google Scholar
- Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2--3):167--187, 1996. Google ScholarDigital Library
- Webkit.org. SunSpider JavaScript benchmark. http://www.webkit.org/perf/sunspider/sunspider.html, accessed October 2011.Google Scholar
- Stephan Arthur Zdancewic. Programming languages for information security. PhD thesis, Cornell University, 2002.Google ScholarDigital Library
- Steve Zdancewic. A type system for robust declassification. In 19th Mathematical Foundations of Programming Semantics Conference, 2003.Google ScholarDigital Library
Index Terms
- Multiple facets for dynamic information flow
Recommendations
Multiple Facets for Dynamic Information Flow with Exceptions
JavaScript is the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with full privileges. Information flow controls help ...
Multiple facets for dynamic information flow
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesJavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources ...
An empirical study of privacy-violating information flows in JavaScript web applications
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityThe dynamic nature of JavaScript web applications has given rise to the possibility of privacy violating information flows. We present an empirical study of the prevalence of such flows on a large number of popular websites. We have (1) designed an ...
Comments