First-Class Labels: Using Information Flow to Debug Security Holes

  • Eric Hennigan
  • Christoph Kerschbaumer
  • Stefan Brunthaler
  • Per Larsen
  • Michael Franz
Conference paper

DOI: 10.1007/978-3-642-38908-5_12

Volume 7904 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Hennigan E., Kerschbaumer C., Brunthaler S., Larsen P., Franz M. (2013) First-Class Labels: Using Information Flow to Debug Security Holes. In: Huth M., Asokan N., Čapkun S., Flechais I., Coles-Kemp L. (eds) Trust and Trustworthy Computing. Trust 2013. Lecture Notes in Computer Science, vol 7904. Springer, Berlin, Heidelberg

Abstract

We present a system of first-class labels that assists web authors in assessing and diagnosing vulnerabilities in web applications, focusing their attention on flows of information specific to their application. Using first-class labels, web developers can directly manipulate labels and express security policies within JavaScript itself, leveraging their existing knowledge to improve the quality of their applications. Introducing first-class labels incurs no additional overhead over the implementation of information flow in a JavaScript Virtual Machine, making it suitable for use in a security testing environment even for applications that execute large amounts of JavaScript code.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Eric Hennigan
    • 1
  • Christoph Kerschbaumer
    • 1
  • Stefan Brunthaler
    • 1
  • Per Larsen
    • 1
  • Michael Franz
    • 1
  1. 1.University of CaliforniaIrvineUSA