Skip to main content
SpringerLink
Log in

CrowdFlow: Efficient Information Flow Security

  • Conference paper
  • First Online:
Information Security

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7807))

Abstract

The widespread use of JavaScript (JS) as the dominant web programming language opens the door to attacks such as Cross Site Scripting that steal sensitive information from users. Information flow tracking successfully addresses current browser security shortcomings, but current implementations incur a significant runtime overhead cost that prevents adoption.

We present a novel approach to information flow security that distributes the tracking workload across all page visitors by probabilistically switching between two JavaScript execution modes. Our framework reports attempts to steal information from a user’s browser to a third party that maintains a blacklist of malicious URLs. Participating users can then benefit from receiving warnings about blacklisted URLs, similar to anti-phishing filters.

Our measurements indicate that our approach is both efficient and effective. First, our technique is efficient because it reduces performance impact by an order of magnitude. Second, our system is effective, i.e., it detects 99.45 % of all information flow violations on the Alexa Top 500 pages using a conservative 5 % sampling rate. Most sites need fewer samples in practice; and will therefore incur even less overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. OWASP: The open web application security project (2012). https://www.owasp.org/. Accessed April 2013

  2. The MITRE Corporation: Common weakness enumeration: A community-developed dictionary of software weakness types (2012). http://cwe.mitre.org/top25/. Accessed April 2013

  3. Microsoft: Microsoft Security Intelligence Report, vol. 13, January–June 2012 (2012). http://www.microsoft.com/security/sir/default.aspx. Accessed April 2013

  4. Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 270–283. ACM (2010)

    Google Scholar 

  5. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of the Annual Network and Distributed System Security Symposium. The Internet Society (2007)

    Google Scholar 

  6. Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 748–759. ACM (2012)

    Google Scholar 

  7. Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: Proceedings of the ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)

    Google Scholar 

  8. Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principals of Programming Languages, pp. 165–178. ACM (2012)

    Google Scholar 

  9. Kerschbaumer, C., Hennigan, E., Larsen, P., Brunthaler, S., Franz, M.: Towards precise and efficient information flow control in web browsers. In: [42]

    Google Scholar 

  10. Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pp. 393–407 (2010)

    Google Scholar 

  11. Provos, N.: Safe browsing - protecting web users for 5 years and counting (2012). http://googleonlinesecurity.blogspot.com/2012/06/safe-browsing-protecting-web-users-for.html. Accessed April 2013

  12. Microsoft: SmartScreen Filter (2012). http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/features/smartscreen-filter. Accessed April 2013

  13. WebKit: The webkit open source project (2012). http://www.webkit.org. Accessed April 2013

  14. SunSpider: SunSpider JavaScript benchmark (2012). http://www2.webkit.org/perf/sunspider-0.9/sunspider.html. Accessed April 2013

  15. Google: V8 Benchmark Suite (2013). https://developers.google.com/v8/benchmarks. Accessed April 2013

  16. Alexa: Alexa Global Top Sites. http://www.alexa.com/topsites. Accessed April 2013

  17. W3C - World Wide Web Consortium: Document object model (DOM) level 3 core specification (2004). http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/DOM3-Core.pdf. Accessed April 2013

  18. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  19. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S.V., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)

    Google Scholar 

  20. Mozilla Foundation: Same origin policy for JavaScript (2008). https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript. Accessed April 2013

  21. W3C: Content security policy 1.0 (2013). http://www.w3.org/TR/CSP/. Accessed July 2013

  22. Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)

    Article  Google Scholar 

  23. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001). http://www.cs.cornell.edu/jif. Accessed April 2013

  24. Hennigan, E., Kerschbaumer, C., Larsen, P., Brunthaler, S., Franz, M.: First-class labels: using information flow to debug security holes. In: [42]

    Google Scholar 

  25. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 5–19 (2003)

    Article  Google Scholar 

  26. Ecma International: Standard ECMA-262. The ECMAScript language specification (2009). http://www.ecma-international.org/publications/standards/Ecma-262.htm. Accessed April 2013

  27. Anonymous: Web statistics when crawling the alexa top 500 web pages. Technical report, Anonymous (2013)

    Google Scholar 

  28. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the ACM International Conference on World Wide Web. ACM (2007)

    Google Scholar 

  29. Myers, A.C.: Jflow: practical mostly-static information flow control. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principals of Programming Languages, pp. 228–241. ACM (1999)

    Google Scholar 

  30. Zdancewic, S.A.: Programming Languages for information security. Ph.D. thesis, Cornell University (2002)

    Google Scholar 

  31. The Tor Project: Tor: Anonymity Online (2013). https://www.torproject.org/. Accessed April 2013

  32. Greathouse, J.L., LeBlanc, C., Austin, T., Bertacco, V.: Highly scalable distributed dataflow analysis. In: Proceedings of the IEEE/ACM International Symposium on Code Generation and Optimization, pp. 277–288. IEEE (2011)

    Google Scholar 

  33. Greathouse, J.L., Austin, T.: The potential of sampling for dynamic analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 3.1–3.6. ACM (2011)

    Google Scholar 

  34. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 1–12. ACM (2010)

    Google Scholar 

  35. Devriese, D., Peissens, F.: Noninterference through secure multi-execution. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 109–124. IEEE (2010)

    Google Scholar 

  36. Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the IEEE Computer Security Foundations Symposium, pp. 3–18. IEEE (2012)

    Google Scholar 

  37. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 113–124. ACM (2009)

    Google Scholar 

  38. Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62. ACM (2009)

    Google Scholar 

  39. Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Proceedings of the Annual Network and Distributed System Security Symposium. The Internet Society (2009)

    Google Scholar 

  40. Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the ACM International Conference on World Wide Web, pp. 197–206. ACM (2011)

    Google Scholar 

  41. Thomas, K., Grie, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 447–462. IEEE (2011)

    Google Scholar 

  42. Proceedings of the 6th International Conference on Trust and Trustworthy Computing, TRUST 2013, London, UK, June 17–19. Springer (2013)

    Google Scholar 

Download references

Acknowledgements

This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contract No. D11PC20024, by the National Science Foundation (NSF) under grant No. CCF-1117162, and by a gift from Google.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agent, the U.S. Department of the Interior, National Business Center, Acquisition Services Directorate, Sierra Vista Branch, the National Science Foundation, or any other agency of the U.S. Government.

Thanks to Michael Bebenita, Stephen Crane, Andrei Homescu, Christopher Horn, Mark Murphy, Mathias Payer, Codrut Stancu, Gregor Wagner, Christian Wimmer, and Wei Zhang for their feedback and insightful comments.

Author information

Authors and Affiliations

  1. University of California, Irvine, USA

    Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler & Michael Franz

Authors
  1. Christoph Kerschbaumer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Hennigan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Per Larsen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefan Brunthaler
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Michael Franz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christoph Kerschbaumer .

Editor information

Editors and Affiliations

  1. University of Texas at Dallas, Richardson, Texas, USA

    Yvo Desmedt

A Detailed Benchmark Results

A Detailed Benchmark Results

Table 1. Detailed performance numbers for V8 and Sunspider benchmarks normalized by the JavaScriptCore interpreter.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Kerschbaumer, C., Hennigan, E., Larsen, P., Brunthaler, S., Franz, M. (2015). CrowdFlow: Efficient Information Flow Security. In: Desmedt, Y. (eds) Information Security. Lecture Notes in Computer Science(), vol 7807. Springer, Cham. https://doi.org/10.1007/978-3-319-27659-5_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-27659-5_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27658-8

  • Online ISBN: 978-3-319-27659-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation