A Self-correcting Information Flow Control Model for the Web-Browser
- 636 Downloads
Abstract
Web-browser security with emphasis on JavaScript security, is one of the important problems of the modern world. The potency of information flow control (IFC) in the context of JavaScript is quite appealing. In this paper, we adopt an earlier technique, Address Split Design (ASD), proposed by Deepak et al. [12]. We propose an alternate data-structure to the dictionaries used in ASD to keep track of secret variables. We also propose a novel approach to help track and learn from information flows. This learnt data can subsequently be used to create a more adaptive and effective IFC model. As the information about a function augments, potential leaks are also thwarted. Using such an approach, we show that more rigid security guarantees can be achieved eventually with increase in learnt data.
Keywords
Information Flow Control (IFC) Secret Variables JavaScript Termination-insensitive Noninterference (TINI) Dependent NodesNotes
Acknowledgments
This work has received a French government support granted to the COMIN Labs excellence laboratory and managed by the National Research Agency in the “Investing for the Future” program under reference ANR-10-LABX-07-01.
References
- 1.Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-Insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88313-5_22 CrossRefGoogle Scholar
- 2.Austin, T.: Dynamic information flow analysis for Javascript in a web browser. Ph.D. thesis, University of California, Santa Cruz (2013)Google Scholar
- 3.Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. ACM SIGPLAN Not. 44(8), 20 (2009)CrossRefGoogle Scholar
- 4.Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. Technical report, DTIC.MIL (1973)Google Scholar
- 5.Biba, K.J.: Integrity Considerations for Secure Computer Systems. Technical report, The Mitre Corporation (1975)Google Scholar
- 6.Bielova, N.: Survey on JavaScript security policies and their enforcement mechanisms in a web browser. J. Logic Algebraic Program. 82(8), 243–262 (2013)CrossRefzbMATHGoogle Scholar
- 7.Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy, pp. 109–124 (2010)Google Scholar
- 8.Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 748–759. ACM, Raleigh, North Carolina, USA (2012)Google Scholar
- 9.Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 3–18. IEEE, June 2012Google Scholar
- 10.Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: Exploring a new approach. In: 2011 IEEE Symposium on Security and Privacy, pp. 413–428. IEEE, May 2011Google Scholar
- 11.Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
- 12.Subramanian, D., Hiet, G., Bidan, C.: Preventive information flow control through a mechanism of split addresses. In: 2016 ACM 9th International Conference on Security of Information and Networks. ACM, July 2016Google Scholar