An Information Flow Monitor-Inlining Compiler for Securing a Core of JavaScript

  • José Fragoso Santos
  • Tamara Rezk
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 428)


Web application designers and users alike are interested in isolation properties for trusted JavaScript code in order to prevent confidential resources from being leaked to untrusted parties. Noninterference provides the mathematical foundation for reasoning precisely about the information flows that take place during the execution of a program. Due to the dynamicity of the language, research on mechanisms for enforcing noninterference in JavaScript has mostly focused on dynamic approaches. We present the first information flow monitor inlining compiler for a realistic core of JavaScript. We prove that the proposed compiler enforces termination-insensitive noninterference and we provide an implementation that illustrates its applicability.


Security Level Global Object Execution Context Malicious Program Original Semantic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Information flow monitor-inlining compiler,
  2. 2.
    The 5th edition of ECMA 262 June 2011. ECMAScript Language Specification. Technical report, ECMA (2011)Google Scholar
  3. 3.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. PLAS (2009)Google Scholar
  4. 4.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. PLAS (2010)Google Scholar
  5. 5.
    Banerjee, A., Naumann, D.A.: Secure information flow and pointer confinement in a Java-like language. In: CSFW (2002)Google Scholar
  6. 6.
    Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in WebKit’s JavaScript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  7. 7.
    Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: CSF (2010)Google Scholar
  8. 8.
    Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of JavaScript. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: CSF (2012)Google Scholar
  10. 10.
    Maffeis, S., Mitchell, J.C., Taly, A.: An operational semantics for JavaScript. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 307–325. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. In: Computers & Security (2012)Google Scholar
  12. 12.
    Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: CSF (2010)Google Scholar
  13. 13.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications (2003)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • José Fragoso Santos
    • 1
  • Tamara Rezk
    • 1
  1. 1.InriaFrance

Personalised recommendations