Information Flow Control in WebKit’s JavaScript Bytecode

  • Abhishek Bichhawat
  • Vineet Rajani
  • Deepak Garg
  • Christian Hammer
Conference paper

DOI: 10.1007/978-3-642-54792-8_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8414)
Cite this paper as:
Bichhawat A., Rajani V., Garg D., Hammer C. (2014) Information Flow Control in WebKit’s JavaScript Bytecode. In: Abadi M., Kremer S. (eds) Principles of Security and Trust. POST 2014. Lecture Notes in Computer Science, vol 8414. Springer, Berlin, Heidelberg

Abstract

Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this paper, we develop, formalize and implement a dynamic IFC mechanism for the JavaScript engine of a production Web browser (specifically, Safari’s WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and hence leverages years of industrial effort on optimizing both the source to bytecode compiler and the bytecode interpreter. We track both explicit and implicit flows and observe only moderate overhead. Working with bytecode results in new challenges including the extensive use of unstructured control flow in bytecode (which complicates lowering of program context taints), unstructured exceptions (which complicate the matter further) and the need to make IFC analysis permissive. We explain how we address these challenges, formally model the JavaScript bytecode semantics and our instrumentation, prove the standard property of terminationinsensitive non-interference, and present experimental results on an optimized prototype.

Keywords

Dynamic information flow control JavaScript bytecode taint tracking control flow graphs immediate post-dominator analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Abhishek Bichhawat
    • 1
  • Vineet Rajani
    • 2
  • Deepak Garg
    • 2
  • Christian Hammer
    • 1
  1. 1.Saarland UniversityGermany
  2. 2.MPI-SWSGermany

Personalised recommendations