Advertisement

A Self-correcting Information Flow Control Model for the Web-Browser

  • Deepak SubramanianEmail author
  • Guillaume Hiet
  • Christophe Bidan
Conference paper
  • 636 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10128)

Abstract

Web-browser security with emphasis on JavaScript security, is one of the important problems of the modern world. The potency of information flow control (IFC) in the context of JavaScript is quite appealing. In this paper, we adopt an earlier technique, Address Split Design (ASD), proposed by Deepak et al. [12]. We propose an alternate data-structure to the dictionaries used in ASD to keep track of secret variables. We also propose a novel approach to help track and learn from information flows. This learnt data can subsequently be used to create a more adaptive and effective IFC model. As the information about a function augments, potential leaks are also thwarted. Using such an approach, we show that more rigid security guarantees can be achieved eventually with increase in learnt data.

Keywords

Information Flow Control (IFC) Secret Variables JavaScript Termination-insensitive Noninterference (TINI) Dependent Nodes 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgments

This work has received a French government support granted to the COMIN Labs excellence laboratory and managed by the National Research Agency in the “Investing for the Future” program under reference ANR-10-LABX-07-01.

References

  1. 1.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-Insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88313-5_22 CrossRefGoogle Scholar
  2. 2.
    Austin, T.: Dynamic information flow analysis for Javascript in a web browser. Ph.D. thesis, University of California, Santa Cruz (2013)Google Scholar
  3. 3.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. ACM SIGPLAN Not. 44(8), 20 (2009)CrossRefGoogle Scholar
  4. 4.
    Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. Technical report, DTIC.MIL (1973)Google Scholar
  5. 5.
    Biba, K.J.: Integrity Considerations for Secure Computer Systems. Technical report, The Mitre Corporation (1975)Google Scholar
  6. 6.
    Bielova, N.: Survey on JavaScript security policies and their enforcement mechanisms in a web browser. J. Logic Algebraic Program. 82(8), 243–262 (2013)CrossRefzbMATHGoogle Scholar
  7. 7.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy, pp. 109–124 (2010)Google Scholar
  8. 8.
    Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 748–759. ACM, Raleigh, North Carolina, USA (2012)Google Scholar
  9. 9.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 3–18. IEEE, June 2012Google Scholar
  10. 10.
    Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: Exploring a new approach. In: 2011 IEEE Symposium on Security and Privacy, pp. 413–428. IEEE, May 2011Google Scholar
  11. 11.
    Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  12. 12.
    Subramanian, D., Hiet, G., Bidan, C.: Preventive information flow control through a mechanism of split addresses. In: 2016 ACM 9th International Conference on Security of Information and Networks. ACM, July 2016Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Deepak Subramanian
    • 1
    Email author
  • Guillaume Hiet
    • 1
  • Christophe Bidan
    • 1
  1. 1.CentraleSupélecChâtenay-MalabryFrance

Personalised recommendations