Information Flow Control in WebKit’s JavaScript Bytecode

  • Abhishek Bichhawat
  • Vineet Rajani
  • Deepak Garg
  • Christian Hammer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8414)


Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this paper, we develop, formalize and implement a dynamic IFC mechanism for the JavaScript engine of a production Web browser (specifically, Safari’s WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and hence leverages years of industrial effort on optimizing both the source to bytecode compiler and the bytecode interpreter. We track both explicit and implicit flows and observe only moderate overhead. Working with bytecode results in new challenges including the extensive use of unstructured control flow in bytecode (which complicates lowering of program context taints), unstructured exceptions (which complicate the matter further) and the need to make IFC analysis permissive. We explain how we address these challenges, formally model the JavaScript bytecode semantics and our instrumentation, prove the standard property of terminationinsensitive non-interference, and present experimental results on an optimized prototype.


Dynamic information flow control JavaScript bytecode taint tracking control flow graphs immediate post-dominator analysis 


  1. 1.
    Richards, G., Hammer, C., Burg, B., Vitek, J.: The eval that men do – a large-scale study of the use of eval in JavaScript applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: Proc. 17th ACM Conference on Computer and Communications Security, pp. 270–283 (2010)Google Scholar
  3. 3.
    Richards, G., Hammer, C., Zappa Nardelli, F., Jagannathan, S., Vitek, J.: Flexible access control for Javascript. In: Proc. 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2013, pp. 305–322 (2013)Google Scholar
  4. 4.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proc. 25th IEEE Computer Security Foundations Symposium, pp. 3–18 (2012)Google Scholar
  5. 5.
    Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: Tracking information flow in JavaScript and its APIs. In: Proc. 29th ACM Symposium on Applied Computing (2014)Google Scholar
  6. 6.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: Proc. 2010 IEEE Symposium on Security and Privacy, pp. 109–124 (2010)Google Scholar
  7. 7.
    De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proc. 2012 ACM Conference on Computer and Communications Security, pp. 748–759 (2012)Google Scholar
  8. 8.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. 1982 IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  9. 9.
    Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proc. 16th ACM Symposium on Operating Systems Principles, pp. 129–142 (1997)Google Scholar
  10. 10.
    Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. 14th IEEE Computer Security Foundations Workshop, pp. 15–23 (2001)Google Scholar
  11. 11.
    Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2-3), 167–187 (1996)Google Scholar
  12. 12.
    Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: Proc. 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9–18 (2011)Google Scholar
  13. 13.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proc. 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 3:1–3:12 (2010)Google Scholar
  14. 14.
    Bohannon, A., Pierce, B.C., Sjöberg, V., Weirich, S., Zdancewic, S.: Reactive noninterference. In: Proc. 16th ACM Conference on Computer and Communications Security, pp. 79–90 (2009)Google Scholar
  15. 15.
    Maffeis, S., Mitchell, J.C., Taly, A.: An operational semantics for JavaScript. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 307–325. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of JavaScript. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Politz, J.G., Carroll, M.J., Lerner, B.S., Pombrio, J., Krishnamurthi, S.: A tested semantics for getters, setters, and eval in JavaScript. In: Proceedings of the 8th Dynamic Languages Symposium, pp. 1–16 (2012)Google Scholar
  18. 18.
    Bodin, M., Chargueraud, A., Filaretti, D., Gardner, P., Maffeis, S., Naudziuniene, D., Schmitt, A., Smith, G.: A trusted mechanised Javascript specification. In: Proc. 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (2014)Google Scholar
  19. 19.
    Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable javascript. In: Proc. 2011 International Symposium on Software Testing and Analysis, ISSTA 2011, pp. 177–187 (2011)Google Scholar
  20. 20.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: Proc. 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62 (2009)Google Scholar
  21. 21.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proc. ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pp. 113–124 (2009)Google Scholar
  22. 22.
    Zdancewic, S.A.: Programming Languages for Information Security. PhD thesis, Cornell University (August 2002)Google Scholar
  23. 23.
    Birgisson, A., Hedin, D., Sabelfeld, A.: Boosting the permissiveness of dynamic information-flow tracking by testing. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 55–72. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proc. 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 165–178 (2012)Google Scholar
  25. 25.
    Bielova, N., Devriese, D., Massacci, F., Piessens, F.: Reactive non-interference for a browser model. In: 5th International Conference on Network and System Security (NSS), pp. 97–104 (2011)Google Scholar
  26. 26.
    Bohannon, A., Pierce, B.C.: Featherweight Firefox: formalizing the core of a web browser. In: Proc. 2010 USENIX Conference on Web Application Development, WebApps 2010, pp. 11–22 (2010)Google Scholar
  27. 27.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  28. 28.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: Proc. 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 382–391 (2009)Google Scholar
  29. 29.
    Robling Denning, D.E.: Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., Boston (1982)Google Scholar
  30. 30.
    Xin, B., Zhang, X.: Efficient online detection of dynamic control dependence. In: Proc. 2007 International Symposium on Software Testing and Analysis, pp. 185–195 (2007)Google Scholar
  31. 31.
    Masri, W., Podgurski, A.: Algorithms and tool support for dynamic information flow analysis. Information & Software Technology 51(2), 385–404 (2009)CrossRefGoogle Scholar
  32. 32.
    Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst. 1(1), 121–141 (1979)CrossRefzbMATHGoogle Scholar
  33. 33.
    Richards, G., Gal, A., Eich, B., Vitek, J.: Automated construction of JavaScript benchmarks. In: Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, pp. 677–694 (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Abhishek Bichhawat
    • 1
  • Vineet Rajani
    • 2
  • Deepak Garg
    • 2
  • Christian Hammer
    • 1
  1. 1.Saarland UniversityGermany
  2. 2.MPI-SWSGermany

Personalised recommendations