First-Class Labels: Using Information Flow to Debug Security Holes

  • Eric Hennigan
  • Christoph Kerschbaumer
  • Stefan Brunthaler
  • Per Larsen
  • Michael Franz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7904)


We present a system of first-class labels that assists web authors in assessing and diagnosing vulnerabilities in web applications, focusing their attention on flows of information specific to their application. Using first-class labels, web developers can directly manipulate labels and express security policies within JavaScript itself, leveraging their existing knowledge to improve the quality of their applications. Introducing first-class labels incurs no additional overhead over the implementation of information flow in a JavaScript Virtual Machine, making it suitable for use in a security testing environment even for applications that execute large amounts of JavaScript code.


  1. 1.
    Alexa: Alexa Global Top Sites (2012), (checked: February 2013)
  2. 2.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 113–124. ACM (2009)Google Scholar
  3. 3.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 1–12. ACM (2010)Google Scholar
  4. 4.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaSript. In: PLDI 2009: Programming Language Design and Implementation, pp. 50–62. ACM (2009)Google Scholar
  5. 5.
    Denning, D.E.: A lattice model of secure information flow. Communications of the ACM, 236–243 (1976)Google Scholar
  6. 6.
    ECMA International: Standard ECMA-262. The ECMAScript language specification (2009), (checked: February 2013)
  7. 7.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the Computer Security Foundations Symposium, pp. 3–18 (2012)Google Scholar
  8. 8.
    Hennigan, E., Kerschbaumer, C., Brunthaler, S., Franz, M.: Tracking information flow for dynamically typed programming languages by instruction set extension. Tech. rep., University of California Irvine (2011),
  9. 9.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: CCS 2010: Computer and Communications Security, pp. 270–283. ACM (2010)Google Scholar
  10. 10.
    Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: PLASTIC 2011: Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)Google Scholar
  11. 11.
    K.F., D.P.: XSS Attacks Information (2012), (checked: February 2013)
  12. 12.
    Li, P., Zdancewic, S.: Encoding information flow in haskell. In: 19th IEEE Computer Security Foundations Workshop, p. 12. IEEE (2006)Google Scholar
  13. 13.
    Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In: SSP 2010: Symposium on Security and Privacy, pp. 481–496 (2010)Google Scholar
  14. 14.
    Mozilla Foundation: Same origin policy for JavaScript (2008), (checked: February 2013)
  15. 15.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001), (checked: February 2013)
  16. 16.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 5–19 (2003)Google Scholar
  17. 17.
    SunSpider: SunSpider JavaScript benchmark (2012), (checked: February 2013)
  18. 18.
    Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS 2007: Network and Distributed System Security Symposium (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Eric Hennigan
    • 1
  • Christoph Kerschbaumer
    • 1
  • Stefan Brunthaler
    • 1
  • Per Larsen
    • 1
  • Michael Franz
    • 1
  1. 1.University of CaliforniaIrvineUSA

Personalised recommendations