Daniel Hedin
ABSTRACT
JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Such code provides a range of facilities from helper utilities (such as jQuery) to readily available services (such as Google Analytics and Tynt). Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy.
This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing information-flow policies for the full JavaScript language, as well as tracking information in the presence of libraries, as provided by browser APIs. The interpreter is itself written in JavaScript, which enables deployment as a browser extension. Our experiments with the extension provide in-depth understanding of information manipulation by third-party scripts such as Google Analytics. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.
- Agten, P., Acker, S. V., Brondsema, Y., Phung, P. H., Desmet, L., and Piessens, F. JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In ACSAC (2012), R. H. Zakon, Ed., ACM, pp. 1--10. Google Scholar
Digital Library
- Askarov, A., Hunt, S., Sabelfeld, A., and Sands, D. Termination-insensitive noninterference leaks more than just a bit. In Proc. ESORICS (Oct. 2008), vol. 5283 of LNCS, Springer-Verlag, pp. 333--348. Google ScholarDigital Library
- Austin, T. H., and Flanagan, C. Efficient purely-dynamic information flow analysis. In Proc. ACM PLAS (June 2009). Google ScholarDigital Library
- Bandhakavi, S., Tiku, N., Pittman, W., King, S. T., Madhusudan, P., and Winslett, M. Vetting browser extensions for security vulnerabilities with vex. Commun. ACM 54, 9 (2011), 91--99. Google ScholarDigital Library
- Birgisson, A., Hedin, D., and Sabelfeld, A. Boosting the permissiveness of dynamic information-flow tracking by testing. In ESORICS (2012), S. Foresti, M. Yung, and F. Martinelli, Eds., vol. 7459 of Lecture Notes in Computer Science, Springer, pp. 55--72.Google Scholar
- Chugh, R., Meister, J. A., Jhala, R., and Lerner, S. Staged information flow for JavasCript. In PLDI (2009), M. Hind and A. Diwan, Eds., ACM, pp. 50--62. Google ScholarDigital Library
- Crockford, D. Making JavaScript Safe for Advertising. adsafe.org, 2009.Google Scholar
- Devriese, D., and Piessens, F. Non-interference through secure multi-execution. In SSP (May 2010). Google ScholarDigital Library
- Dhawan, M., and Ganapathy, V. Analyzing information flow in javascript-based browser extensions. In ACSAC (2009), IEEE Computer Society, pp. 382--391. Google ScholarDigital Library
- ECMA International. ECMAScript Language Specification, 2009. Version 5.Google Scholar
- Eich, B. Flowsafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, Oct. 2009.Google Scholar
- Groef, W. D., Devriese, D., Nikiforakis, N., and Piessens, F. Flowfox: a web browser with flexible and precise information flow control. In ACM CCS (2012). Google ScholarDigital Library
- Guarnieri, S., and Livshits, B. Gatekeeper: mostly static enforcement of security and reliability policies for javascript code. In Proc. USENIX security (USA, 2009), SSYM'09, USENIX Association. Google ScholarDigital Library
- Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., and Berg, R. Saving the world wide web from vulnerable JavaScript. In ISSTA (2011), M. B. Dwyer and F. Tip, Eds., ACM, pp. 177--187. Google ScholarDigital Library
- Hedin, D., Bello, L., Birgisson, A., and Sabelfeld, A. JSFlow. Software release. Located at http://chalmerslbs.bitbucket.org/jsflow, Sept. 2013.Google Scholar
- Hedin, D., and Sabelfeld, A. Information-flow security for a core of JavaScript. In Proc. IEEE CSF (June 2012), pp. 3--18. Google ScholarDigital Library
- Hors, A. L., and Hegaret, P. L. Document Object Model Level 3 Core Specification. Tech. rep., The World Wide Web Consortium, 2004.Google Scholar
- Jang, D., Jhala, R., Lerner, S., and Shacham, H. An empirical study of privacy-violating information flows in JavaScript web applications. In ACM CCS (Oct. 2010), pp. 270--283. Google ScholarDigital Library
- Joyent, Inc. Node.js. http://nodejs.org/.Google Scholar
- Just, S., Cleary, A., Shirley, B., and Hammer, C. Information Flow Analysis for JavaScript. In Proc. ACM PLASTIC (USA, 2011), ACM, pp. 9--18. Google ScholarDigital Library
- Landi, W. Undecidability of static analysis. ACM LOPLAS 1, 4 (Dec. 1992), 323--337. Google ScholarDigital Library
- Le Guernic, G., Banerjee, A., Jensen, T., and Schmidt, D. Automata-based confidentiality monitoring. In Proc. ASIAN (2006), vol. 4435 of LNCS, Springer-Verlag. Google ScholarDigital Library
- Li, Z., Zhang, K., and Wang, X. Mash-IF: Practical information-flow control within client-side mashups. In DSN (2010), pp. 251--260.Google ScholarCross Ref
- Magazinius, J., Askarov, A., and Sabelfeld, A. A lattice-based approach to mashup security. In Proc. ACM ASIACCS (Apr. 2010). Google ScholarDigital Library
- Magazinius, J., Hedin, D., and Sabelfeld, A. Architectures for inlining security monitors in web applications. In ESSoS (2014), Lecture Notes in Computer Science, Springer.Google Scholar
- Mayer, J. R., and Mitchell, J. C. Third-party web tracking: Policy and technology. In IEEE SP (2012), IEEE Computer Society, pp. 413--427. Google ScholarDigital Library
- Meyerovich, L. A., and Livshits, V. B. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In IEEE SP (2010), IEEE Computer Society, pp. 481--496. Google ScholarDigital Library
- Miller, M., Samuel, M., Laurie, B., Awad, I., and Stay, M. Caja: Safe active content in sanitized JavaScript, 2008.Google Scholar
- Mozilla Developer Network. SpiderMonkey -- Running Automated JavaScript Tests. https://developer.mozilla.org/en-US/docs/SpiderMonkey/Running_Automated_JavaScript_Tests, 2011.Google Scholar
- Mozilla Labs. Zaphod add-on for the Firefox browser. http://mozillalabs.com/zaphod, 2011.Google Scholar
- Myers, A. C., Zheng, L., Zdancewic, S., Chong, S., and Nystrom, N. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.Google Scholar
- Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. You are what you include: large-scale evaluation of remote javascript inclusions. In ACM CCS (Oct. 2012), pp. 736--747. Google ScholarDigital Library
- Rafnsson, W., and Sabelfeld, A. Limiting information leakage in event-based communication. In Proc. ACM PLAS (USA, 2011), ACM, pp. 4:1--4:16. Google ScholarDigital Library
- Russo, A., and Sabelfeld, A. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE CSF (July 2010), pp. 186--199. Google ScholarDigital Library
- Ryck, P. D., Decat, M., Desmet, L., Piessens, F., and Joose, W. Security of web mashups: a survey. In NORDSEC (2010), LNCS. Google ScholarDigital Library
- Sabelfeld, A., and Myers, A. C. Language-based information-flow security. IEEE J. Selected Areas in Communications 21, 1 (Jan. 2003), 5--19. Google ScholarDigital Library
- Saltzer, J. H., and Schroeder, M. D. The protection of information in computer systems. Proc. of the IEEE 63, 9 (Sept. 1975), 1278--1308.Google ScholarCross Ref
- Taly, A., Erlingsson, U., Miller, M., Mitchell, J., and Nagra, J. Automated analysis of security-critical JavaScript APIs. In Proc. IEEE SP (May 2011). Google ScholarDigital Library
- Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. NDSS (Feb. 2007).Google Scholar
- Volpano, D., Smith, G., and Irvine, C. A sound type system for secure flow analysis. J. Computer Security 4, 3 (1996), 167--187. Google ScholarDigital Library
- Yang, E., Stefan, D., Mitchell, J., Mazières, D., Marchenko, P., and Karp, B. Toward principled browser security. In Proc. HotOS (2013). Google ScholarDigital Library
- Yip, A., Narula, N., Krohn, M., and Morris, R. Privacy-preserving browser-side scripting with bflow. In EuroSys (USA, 2009), ACM, pp. 233--246. Google ScholarDigital Library
- Zdancewic, S. Programming Languages for Information Security. PhD thesis, Cornell University, July 2002. Google ScholarDigital Library
Index Terms
- JSFlow: tracking information flow in JavaScript and its APIs
Recommendations
An empirical study of privacy-violating information flows in JavaScript web applications
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityThe dynamic nature of JavaScript web applications has given rise to the possibility of privacy violating information flows. We present an empirical study of the prevalence of such flows on a large number of popular websites. We have (1) designed an ...
Eval begone!: semi-automated removal of eval from javascript programs
OOPSLA '12Eval endows JavaScript developers with great power. It allows developers and end-users, by turning text into executable code, to seamlessly extend and customize the behavior of deployed applications as they are running. With great power comes great ...
Mystique: Uncovering Information Leakage from Browser Extensions
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityBrowser extensions are small JavaScript, CSS and HTML programs that run inside the browser with special privileges. These programs, often written by third parties, operate on the pages that the browser is visiting, giving the user a programmatic way to ...
Comments