First-Class Labels: Using Information Flow to Debug Security Holes

  • Eric Hennigan
  • Christoph Kerschbaumer
  • Stefan Brunthaler
  • Per Larsen
  • Michael Franz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7904)


We present a system of first-class labels that assists web authors in assessing and diagnosing vulnerabilities in web applications, focusing their attention on flows of information specific to their application. Using first-class labels, web developers can directly manipulate labels and express security policies within JavaScript itself, leveraging their existing knowledge to improve the quality of their applications. Introducing first-class labels incurs no additional overhead over the implementation of information flow in a JavaScript Virtual Machine, making it suitable for use in a security testing environment even for applications that execute large amounts of JavaScript code.


Information Leak Label System Supporting Framework Monitor Function Document Object Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alexa: Alexa Global Top Sites (2012), (checked: February 2013)
  2. 2.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 113–124. ACM (2009)Google Scholar
  3. 3.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 1–12. ACM (2010)Google Scholar
  4. 4.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaSript. In: PLDI 2009: Programming Language Design and Implementation, pp. 50–62. ACM (2009)Google Scholar
  5. 5.
    Denning, D.E.: A lattice model of secure information flow. Communications of the ACM, 236–243 (1976)Google Scholar
  6. 6.
    ECMA International: Standard ECMA-262. The ECMAScript language specification (2009), (checked: February 2013)
  7. 7.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the Computer Security Foundations Symposium, pp. 3–18 (2012)Google Scholar
  8. 8.
    Hennigan, E., Kerschbaumer, C., Brunthaler, S., Franz, M.: Tracking information flow for dynamically typed programming languages by instruction set extension. Tech. rep., University of California Irvine (2011),
  9. 9.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: CCS 2010: Computer and Communications Security, pp. 270–283. ACM (2010)Google Scholar
  10. 10.
    Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: PLASTIC 2011: Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)Google Scholar
  11. 11.
    K.F., D.P.: XSS Attacks Information (2012), (checked: February 2013)
  12. 12.
    Li, P., Zdancewic, S.: Encoding information flow in haskell. In: 19th IEEE Computer Security Foundations Workshop, p. 12. IEEE (2006)Google Scholar
  13. 13.
    Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In: SSP 2010: Symposium on Security and Privacy, pp. 481–496 (2010)Google Scholar
  14. 14.
    Mozilla Foundation: Same origin policy for JavaScript (2008), (checked: February 2013)
  15. 15.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001), (checked: February 2013)
  16. 16.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 5–19 (2003)Google Scholar
  17. 17.
    SunSpider: SunSpider JavaScript benchmark (2012), (checked: February 2013)
  18. 18.
    Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS 2007: Network and Distributed System Security Symposium (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Eric Hennigan
    • 1
  • Christoph Kerschbaumer
    • 1
  • Stefan Brunthaler
    • 1
  • Per Larsen
    • 1
  • Michael Franz
    • 1
  1. 1.University of CaliforniaIrvineUSA

Personalised recommendations