skip to main content
research-article

Staged information flow for javascript

Authors Info & Claims
Published:15 June 2009Publication History
Skip Abstract Section

Abstract

Modern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm in such websites is to include third-party JavaScript code in the form of libraries or advertisements. If this code were malicious, it could read sensitive information from the page or write to the location bar, thus redirecting the user to a malicious page, from which the entire machine could be compromised. We present an information-flow based approach for inferring the effects that a piece of JavaScript has on the website in order to ensure that key security properties are not violated. To handle dynamically loaded and generated JavaScript, we propose a framework for staging information flow properties. Our framework propagates information flow through the currently known code in order to compute a minimal set of syntactic residual checks that are performed on the remaining code when it is dynamically loaded. We have implemented a prototype framework for staging information flow. We describe our techniques for handling some difficult features of JavaScript and evaluate our system's performance on a variety of large real-world websites. Our experiments show that static information flow is feasible and efficient for JavaScript, and that our technique allows the enforcement of information-flow policies with almost no run-time overhead.

References

  1. English: Alexa top 100 sites, November 2008. http://www.alexa.com.Google ScholarGoogle Scholar
  2. Google web toolkit, November 2008. http://code.google.com/webtoolkit/.Google ScholarGoogle Scholar
  3. Jsure, November 2008. http://www.jsure.org/.Google ScholarGoogle Scholar
  4. Volta, November 2008. http://live.labs.com/volta.Google ScholarGoogle Scholar
  5. T. Amtoft and A. Banerjee. Information flow analysis in logical form. In SAS, pages 100--115, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  6. C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for javascript. In ECOOP, pages 428--452, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web application via automatic partitioning. In SOSP, pages 31--44, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In USENIX Security Symposium, pages 321--336, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the asbestos operating system. In SOSP. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. M. Fähndrich and A. Aiken. Program analysis using mixed term and set constraints. In SAS, pages 114--126, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. M. Fähndrich, J. S. Foster, A. Aiken, and J. Cu. Tracking down exceptions in standard ml programs. Technical report, EECS Department, UC Berkeley, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. C. Flanagan and M. Felleisen. Componential set-based analysis. ACM Trans. Program. Lang. Syst., 21(2):370--416, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. J. S. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In PLDI. ACM, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. J. S. Foster, M. Fähndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for c. In SAS, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11--20, 1982.Google ScholarGoogle ScholarCross RefCross Ref
  16. B. Hardekopf and C. Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In PLDI, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. D. Herman and C. Flanagan. Status report: specifying javascript with ml. In ML, pages 47--52, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. J. Kodumal and A. Aiken. Banshee: A scalable constraint-based analysis toolkit. In SAS, pages 218--234, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. S. Lam, M. Martin, V. B. Livshits, and J. Whaley. Securing web applications with static and dynamic information flow tracking. In PEPM, pages 3--12, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. Technical Report MSR-TR-2009-16, Microsoft Research, Feb. 2009.Google ScholarGoogle Scholar
  23. A. C. Myers. Programming with explicit security policies. In ESOP, pages 1--4, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google ScholarGoogle Scholar
  25. F. Pottier and V. Simonet. Information flow inference for ml. In POPL, pages 319--330, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. P. Pratikakis, J. S. Foster, and M. Hicks. Locksmith: context-sensitive correlation analysis for race detection. In PLDI. ACM, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. T. Terauchi and A. Aiken. Secure information flow as a safety problem. In SAS, pages 352---367, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. P. Thiemann. Towards a type system for analyzing javascript programs. In ESOP, pages 408--422, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user--centric information--flow security. In MICRO, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. D. Volpano and G. Smith. Verifying secrets and relative secrecy. In POPL, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. G. Wassermann and Z. Su. Static detection of cross--site scripting vulnerabilities. In ICSE, pages 171---180, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. In POPL, pages 351---363, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In POPL, pages 237---249, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. N. Zeldovich, S. Boyd--Wickizer, and D. Mazières. Securing distributed systems with information flow control. In NSDI, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Staged information flow for javascript

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM SIGPLAN Notices
              ACM SIGPLAN Notices  Volume 44, Issue 6
              PLDI '09
              June 2009
              478 pages
              ISSN:0362-1340
              EISSN:1558-1160
              DOI:10.1145/1543135
              Issue’s Table of Contents
              • cover image ACM Conferences
                PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation
                June 2009
                492 pages
                ISBN:9781605583921
                DOI:10.1145/1542476

              Copyright © 2009 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 15 June 2009

              Check for updates

              Qualifiers

              • research-article

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!