Skip to main content

First-Class Labels: Using Information Flow to Debug Security Holes

  • Conference paper
  • 1270 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7904)

Abstract

We present a system of first-class labels that assists web authors in assessing and diagnosing vulnerabilities in web applications, focusing their attention on flows of information specific to their application. Using first-class labels, web developers can directly manipulate labels and express security policies within JavaScript itself, leveraging their existing knowledge to improve the quality of their applications. Introducing first-class labels incurs no additional overhead over the implementation of information flow in a JavaScript Virtual Machine, making it suitable for use in a security testing environment even for applications that execute large amounts of JavaScript code.

Keywords

  • Information Leak
  • Label System
  • Supporting Framework
  • Monitor Function
  • Document Object Model

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contract No. D11PC20024, by the National Science Foundation (NSF) under grant No. CCF-1117162, and by a gift from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agent, the U.S. Department of the Interior, National Business Center, Acquisition Services Directorate, Sierra Vista Branch, the National Science Foundation, or any other agency of the U.S. Government.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-38908-5_12
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   39.99
Price excludes VAT (USA)
  • ISBN: 978-3-642-38908-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   54.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alexa: Alexa Global Top Sites (2012), http://www.alexa.com/topsites (checked: February 2013)

  2. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 113–124. ACM (2009)

    Google Scholar 

  3. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 1–12. ACM (2010)

    Google Scholar 

  4. Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaSript. In: PLDI 2009: Programming Language Design and Implementation, pp. 50–62. ACM (2009)

    Google Scholar 

  5. Denning, D.E.: A lattice model of secure information flow. Communications of the ACM, 236–243 (1976)

    Google Scholar 

  6. ECMA International: Standard ECMA-262. The ECMAScript language specification (2009), http://www.ecma-international.org/publications/standards/Ecma-262.html (checked: February 2013)

  7. Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the Computer Security Foundations Symposium, pp. 3–18 (2012)

    Google Scholar 

  8. Hennigan, E., Kerschbaumer, C., Brunthaler, S., Franz, M.: Tracking information flow for dynamically typed programming languages by instruction set extension. Tech. rep., University of California Irvine (2011), http://ssllab.org/~nsf/files/tr_instruction_set_extension.pdf

  9. Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: CCS 2010: Computer and Communications Security, pp. 270–283. ACM (2010)

    Google Scholar 

  10. Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: PLASTIC 2011: Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)

    Google Scholar 

  11. K.F., D.P.: XSS Attacks Information (2012), http://www.xssed.com/ (checked: February 2013)

  12. Li, P., Zdancewic, S.: Encoding information flow in haskell. In: 19th IEEE Computer Security Foundations Workshop, p. 12. IEEE (2006)

    Google Scholar 

  13. Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In: SSP 2010: Symposium on Security and Privacy, pp. 481–496 (2010)

    Google Scholar 

  14. Mozilla Foundation: Same origin policy for JavaScript (2008), https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript (checked: February 2013)

  15. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001), http://www.cs.cornell.edu/jif (checked: February 2013)

  16. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 5–19 (2003)

    Google Scholar 

  17. SunSpider: SunSpider JavaScript benchmark (2012), http://www2.webkit.org/perf/sunspider-1.0/sunspider.html (checked: February 2013)

  18. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS 2007: Network and Distributed System Security Symposium (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hennigan, E., Kerschbaumer, C., Brunthaler, S., Larsen, P., Franz, M. (2013). First-Class Labels: Using Information Flow to Debug Security Holes. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds) Trust and Trustworthy Computing. Trust 2013. Lecture Notes in Computer Science, vol 7904. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38908-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38908-5_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38907-8

  • Online ISBN: 978-3-642-38908-5

  • eBook Packages: Computer ScienceComputer Science (R0)