Trust and Trustworthy Computing

Volume 7904 of the series Lecture Notes in Computer Science pp 151-168

First-Class Labels: Using Information Flow to Debug Security Holes

  • Eric HenniganAffiliated withUniversity of California
  • , Christoph KerschbaumerAffiliated withUniversity of California
  • , Stefan BrunthalerAffiliated withUniversity of California
  • , Per LarsenAffiliated withUniversity of California
  • , Michael FranzAffiliated withUniversity of California

* Final gross prices may vary according to local VAT.

Get Access


We present a system of first-class labels that assists web authors in assessing and diagnosing vulnerabilities in web applications, focusing their attention on flows of information specific to their application. Using first-class labels, web developers can directly manipulate labels and express security policies within JavaScript itself, leveraging their existing knowledge to improve the quality of their applications. Introducing first-class labels incurs no additional overhead over the implementation of information flow in a JavaScript Virtual Machine, making it suitable for use in a security testing environment even for applications that execute large amounts of JavaScript code.