Abstract
Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
Unfortunately we were unable to set up a functional test environment for FlowFox and Jest. In the case of Jest certain models are required that are undocumented and not trivial to develop.
- 4.
References
Same Origin Policy - Web Security. https://www.w3.org/Security/wiki/Same Origin Policy
Man-in-the-middle attack - OWASP, August 2015. https://www.owasp.org/index.php/Man-in-the-middle_attack
Andreasen, E., et al.: A survey of dynamic analysis and test generation for JavaScript. ACM Comput. Surv. 50(5), 1–36 (2017)
Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: PLAS, p. 113 (2009)
Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS, pp. 1–12 (2010)
Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: POPL, p. 165 (2012)
Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)
Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Generalizing permissive-upgrade in dynamic information flow analysis. CoRR cs.CR, pp. 15–24 (2015)
Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in WebKit’s JavaScript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_9
Bielova, N., Rezk, T.: A taxonomy of information flow monitors. In: POST vol. 9635, no. 1, pp. 46–67 (2016)
Christophe, L., Boix, E.G., De Meuter, W., De Roover, C.: Linvail - a general-purpose platform for shadow execution of JavaScript. In: SANER, pp. 260–270 (2016)
Chudnov, A., Naumann, D.A.: Information flow monitor Inlining. In: 2010 IEEE 23rd Computer Security Foundations Symposium (CSF), pp. 200–214. IEEE (2010)
Chudnov, A., Naumann, D.A.: Inlined information flow monitoring for JavaScript. In: the 22nd ACM SIGSAC Conference, pp. 629–643. ACM Press, New York (2015)
De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), pp. 748–759. ACM (2012). DOIurl10.1145/2382196.2382275, https://lirias.kuleuven.be/handle/123456789/354589
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)
Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 109–124. IEEE (2010)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, p. 11 (1982)
Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a JavaScript-like language. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF), pp. 351–365. IEEE (2015)
Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671. ACM, New York (2014)
Hedin, D., Sabelfeld, A.: A Perspective on Information-Flow Control. In: Software Safety and Security (2012)
Hedin, D., Sjösten, A., Piessens, F., Sabelfeld, A.: A principled approach to tracking information flow in the presence of libraries. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 49–70. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_3
Jensen, S.H., Jonsson, P.A., Møller, A.: Remedying the Eval that men Do. In: the 2012 International Symposium, pp. 34–44. ACM Press, New York (2012)
Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77505-8_7
Le Hégaret, P.: W3c Document Object Model, January 2005. https://www.w3.org/DOM/
Lekies, S., Kotowicz, K., Groß, S., Nava, E.A.V., Johns, M.: Code-reuse attacks for the web - breaking cross-site scripting mitigations via script gadgets. In: CCS, pp. 1709–1723 (2017)
Ligatti, J., Bauer, L., Walker, D.: Edit automata - enforcement mechanisms for run-time security policies. Int. J. Inf, Sec. (2005)
Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. Comput. Secur. 31(7), 827–843 (2012)
MDN: Proxy (Mar 2018). https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy
Rafnsson, W., Sabelfeld, A.: Secure multi-execution - fine-grained, declassification-aware, and transparent. J. Comput. Secur. 24(1), 39–90 (2016)
Richards, G., Hammer, C., Burg, B., Vitek, J.: The eval that men do - a large-scale study of the use of eval in JavaScript applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22655-7_4
Santos, J.F., Rezk, T.: An information flow monitor-inlining compiler for securing a core of JavaScript. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 278–292. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55415-5_23
Sayed, B., Traoré, I., Abdelhalim, A.: If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript. Comput. Secur. 75, 92–117 (2018)
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: the 19th International Conference, pp. 921–930. ACM Press, New York (2010)
Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy. In: ACM Conference on Computer and Communications Security, pp. 1376–1387. ACM Press, New York (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Scull Pupo, A.L., Christophe, L., Nicolay, J., de Roover, C., Gonzalez Boix, E. (2018). Practical Information Flow Control for Web Applications. In: Colombo, C., Leucker, M. (eds) Runtime Verification. RV 2018. Lecture Notes in Computer Science(), vol 11237. Springer, Cham. https://doi.org/10.1007/978-3-030-03769-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-03769-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03768-0
Online ISBN: 978-3-030-03769-7
eBook Packages: Computer ScienceComputer Science (R0)