Abstract
Modern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm in such websites is to include third-party JavaScript code in the form of libraries or advertisements. If this code were malicious, it could read sensitive information from the page or write to the location bar, thus redirecting the user to a malicious page, from which the entire machine could be compromised. We present an information-flow based approach for inferring the effects that a piece of JavaScript has on the website in order to ensure that key security properties are not violated. To handle dynamically loaded and generated JavaScript, we propose a framework for staging information flow properties. Our framework propagates information flow through the currently known code in order to compute a minimal set of syntactic residual checks that are performed on the remaining code when it is dynamically loaded. We have implemented a prototype framework for staging information flow. We describe our techniques for handling some difficult features of JavaScript and evaluate our system's performance on a variety of large real-world websites. Our experiments show that static information flow is feasible and efficient for JavaScript, and that our technique allows the enforcement of information-flow policies with almost no run-time overhead.
- English: Alexa top 100 sites, November 2008. http://www.alexa.com.Google Scholar
- Google web toolkit, November 2008. http://code.google.com/webtoolkit/.Google Scholar
- Jsure, November 2008. http://www.jsure.org/.Google Scholar
- Volta, November 2008. http://live.labs.com/volta.Google Scholar
- T. Amtoft and A. Banerjee. Information flow analysis in logical form. In SAS, pages 100--115, 2004.Google Scholar
Cross Ref
- C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for javascript. In ECOOP, pages 428--452, 2005. Google Scholar
Digital Library
- S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web application via automatic partitioning. In SOSP, pages 31--44, 2007. Google Scholar
Digital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In USENIX Security Symposium, pages 321--336, 2004. Google Scholar
Digital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the asbestos operating system. In SOSP. ACM, 2005. Google Scholar
Digital Library
- M. Fähndrich and A. Aiken. Program analysis using mixed term and set constraints. In SAS, pages 114--126, 1997. Google Scholar
Digital Library
- M. Fähndrich, J. S. Foster, A. Aiken, and J. Cu. Tracking down exceptions in standard ml programs. Technical report, EECS Department, UC Berkeley, 1998. Google Scholar
Digital Library
- C. Flanagan and M. Felleisen. Componential set-based analysis. ACM Trans. Program. Lang. Syst., 21(2):370--416, 1999. Google Scholar
Digital Library
- J. S. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In PLDI. ACM, 1999. Google Scholar
Digital Library
- J. S. Foster, M. Fähndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for c. In SAS, 2000. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11--20, 1982.Google Scholar
Cross Ref
- B. Hardekopf and C. Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In PLDI, 2007. Google Scholar
Digital Library
- D. Herman and C. Flanagan. Status report: specifying javascript with ml. In ML, pages 47--52, 2007. Google Scholar
Digital Library
- T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW, 2007. Google Scholar
Digital Library
- N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, 2006. Google Scholar
Digital Library
- J. Kodumal and A. Aiken. Banshee: A scalable constraint-based analysis toolkit. In SAS, pages 218--234, 2005. Google Scholar
Digital Library
- M. S. Lam, M. Martin, V. B. Livshits, and J. Whaley. Securing web applications with static and dynamic information flow tracking. In PEPM, pages 3--12, 2008. Google Scholar
Digital Library
- B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. Technical Report MSR-TR-2009-16, Microsoft Research, Feb. 2009.Google Scholar
- A. C. Myers. Programming with explicit security policies. In ESOP, pages 1--4, 2005. Google Scholar
Digital Library
- J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google Scholar
- F. Pottier and V. Simonet. Information flow inference for ml. In POPL, pages 319--330, 2002. Google Scholar
Digital Library
- P. Pratikakis, J. S. Foster, and M. Hicks. Locksmith: context-sensitive correlation analysis for race detection. In PLDI. ACM, 2006. Google Scholar
Digital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots, 2007. Google Scholar
Digital Library
- U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security, 2001. Google Scholar
Digital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, 2004. Google Scholar
Digital Library
- T. Terauchi and A. Aiken. Secure information flow as a safety problem. In SAS, pages 352---367, 2005. Google Scholar
Digital Library
- P. Thiemann. Towards a type system for analyzing javascript programs. In ESOP, pages 408--422, 2005. Google Scholar
Digital Library
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user--centric information--flow security. In MICRO, 2004. Google Scholar
Digital Library
- D. Volpano and G. Smith. Verifying secrets and relative secrecy. In POPL, 2000. Google Scholar
Digital Library
- G. Wassermann and Z. Su. Static detection of cross--site scripting vulnerabilities. In ICSE, pages 171---180, 2008. Google Scholar
Digital Library
- Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. In POPL, pages 351---363, 2005. Google Scholar
Digital Library
- D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In POPL, pages 237---249, 2007. Google Scholar
Digital Library
- N. Zeldovich, S. Boyd--Wickizer, and D. Mazières. Securing distributed systems with information flow control. In NSDI, 2008. Google Scholar
Digital Library
Index Terms
Staged information flow for javascript
Recommendations
Staged information flow for javascript
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and ImplementationModern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm in such websites is to include third-party JavaScript code in the form of libraries or advertisements. If this code were ...







Comments