Skip to main content
SpringerLink
Log in

Practical Information Flow Control for Web Applications

  • Conference paper
  • First Online:
Runtime Verification (RV 2018)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 11237))

Included in the following conference series:

Abstract

Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://gitlab.soft.vub.ac.be/ascullpu/guardia-ifc.

  2. 2.

    https://github.com/lachrist/aran.

  3. 3.

    Unfortunately we were unable to set up a functional test environment for FlowFox and Jest. In the case of Jest certain models are required that are undocumented and not trivial to develop.

  4. 4.

    https://gitlab.soft.vub.ac.be/ascullpu/guardia-ifc.

References

  1. Same Origin Policy - Web Security. https://www.w3.org/Security/wiki/Same Origin Policy

  2. Man-in-the-middle attack - OWASP, August 2015. https://www.owasp.org/index.php/Man-in-the-middle_attack

  3. Andreasen, E., et al.: A survey of dynamic analysis and test generation for JavaScript. ACM Comput. Surv. 50(5), 1–36 (2017)

    Article  Google Scholar 

  4. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: PLAS, p. 113 (2009)

    Google Scholar 

  5. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS, pp. 1–12 (2010)

    Google Scholar 

  6. Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: POPL, p. 165 (2012)

    Google Scholar 

  7. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)

    Article  Google Scholar 

  8. Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Generalizing permissive-upgrade in dynamic information flow analysis. CoRR cs.CR, pp. 15–24 (2015)

    Google Scholar 

  9. Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in WebKit’s JavaScript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_9

    Chapter  Google Scholar 

  10. Bielova, N., Rezk, T.: A taxonomy of information flow monitors. In: POST vol. 9635, no. 1, pp. 46–67 (2016)

    Google Scholar 

  11. Christophe, L., Boix, E.G., De Meuter, W., De Roover, C.: Linvail - a general-purpose platform for shadow execution of JavaScript. In: SANER, pp. 260–270 (2016)

    Google Scholar 

  12. Chudnov, A., Naumann, D.A.: Information flow monitor Inlining. In: 2010 IEEE 23rd Computer Security Foundations Symposium (CSF), pp. 200–214. IEEE (2010)

    Google Scholar 

  13. Chudnov, A., Naumann, D.A.: Inlined information flow monitoring for JavaScript. In: the 22nd ACM SIGSAC Conference, pp. 629–643. ACM Press, New York (2015)

    Google Scholar 

  14. De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), pp. 748–759. ACM (2012). DOIurl10.1145/2382196.2382275, https://lirias.kuleuven.be/handle/123456789/354589

  15. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)

    Article  Google Scholar 

  16. Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 109–124. IEEE (2010)

    Google Scholar 

  17. Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, p. 11 (1982)

    Google Scholar 

  18. Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a JavaScript-like language. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF), pp. 351–365. IEEE (2015)

    Google Scholar 

  19. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671. ACM, New York (2014)

    Google Scholar 

  20. Hedin, D., Sabelfeld, A.: A Perspective on Information-Flow Control. In: Software Safety and Security (2012)

    Google Scholar 

  21. Hedin, D., Sjösten, A., Piessens, F., Sabelfeld, A.: A principled approach to tracking information flow in the presence of libraries. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 49–70. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_3

    Chapter  Google Scholar 

  22. Jensen, S.H., Jonsson, P.A., Møller, A.: Remedying the Eval that men Do. In: the 2012 International Symposium, pp. 34–44. ACM Press, New York (2012)

    Google Scholar 

  23. Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77505-8_7

    Chapter  Google Scholar 

  24. Le Hégaret, P.: W3c Document Object Model, January 2005. https://www.w3.org/DOM/

  25. Lekies, S., Kotowicz, K., Groß, S., Nava, E.A.V., Johns, M.: Code-reuse attacks for the web - breaking cross-site scripting mitigations via script gadgets. In: CCS, pp. 1709–1723 (2017)

    Google Scholar 

  26. Ligatti, J., Bauer, L., Walker, D.: Edit automata - enforcement mechanisms for run-time security policies. Int. J. Inf, Sec. (2005)

    Google Scholar 

  27. Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. Comput. Secur. 31(7), 827–843 (2012)

    Article  Google Scholar 

  28. MDN: Proxy (Mar 2018). https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy

  29. Rafnsson, W., Sabelfeld, A.: Secure multi-execution - fine-grained, declassification-aware, and transparent. J. Comput. Secur. 24(1), 39–90 (2016)

    Article  Google Scholar 

  30. Richards, G., Hammer, C., Burg, B., Vitek, J.: The eval that men do - a large-scale study of the use of eval in JavaScript applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22655-7_4

    Chapter  Google Scholar 

  31. Santos, J.F., Rezk, T.: An information flow monitor-inlining compiler for securing a core of JavaScript. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 278–292. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55415-5_23

    Chapter  Google Scholar 

  32. Sayed, B., Traoré, I., Abdelhalim, A.: If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript. Comput. Secur. 75, 92–117 (2018)

    Article  Google Scholar 

  33. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: the 19th International Conference, pp. 921–930. ACM Press, New York (2010)

    Google Scholar 

  34. Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy. In: ACM Conference on Computer and Communications Security, pp. 1376–1387. ACM Press, New York (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Vrije Universiteit Brussel, Pleinlaan 2, 1050, Brussels, Belgium

    Angel Luis Scull Pupo, Laurent Christophe, Jens Nicolay, Coen de Roover & Elisa Gonzalez Boix

Authors
  1. Angel Luis Scull Pupo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Laurent Christophe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jens Nicolay
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Coen de Roover
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Elisa Gonzalez Boix
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Angel Luis Scull Pupo .

Editor information

Editors and Affiliations

  1. University of Malta, Msida, Malta

    Christian Colombo

  2. University of Lübeck, Lübeck, Germany

    Martin Leucker

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Scull Pupo, A.L., Christophe, L., Nicolay, J., de Roover, C., Gonzalez Boix, E. (2018). Practical Information Flow Control for Web Applications. In: Colombo, C., Leucker, M. (eds) Runtime Verification. RV 2018. Lecture Notes in Computer Science(), vol 11237. Springer, Cham. https://doi.org/10.1007/978-3-030-03769-7_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-03769-7_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-03768-0

  • Online ISBN: 978-3-030-03769-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation