Towards Precise and Efficient Information Flow Control in Web Browsers

  • Christoph Kerschbaumer
  • Eric Hennigan
  • Per Larsen
  • Stefan Brunthaler
  • Michael Franz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7904)

Abstract

JavaScript (JS) has become the dominant programming language of the Internet and powers virtually every web page. If an adversary manages to inject malicious JS into a web page, confidential user data such as credit card information and keystrokes may be exfiltrated without the users knowledge.

We present a comprehensive approach to information flow security that allows precise labeling of scripting-exposed browser subsystems: the JS engine, the Document Object Model, and user generated events. Our experiments show that our framework is precise and efficient, and detects information exfiltration attempts by monitoring network requests.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    OWASP: The open web application security project, https://www.owasp.org/
  2. 2.
    Microsoft: Microsoft security intelligence report, vol. 13 (2012), http://www.microsoft.com/security/sir/default.aspx
  3. 3.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: Proceedings of the Conference on Computer and Communications Security, pp. 270–283. ACM (2010)Google Scholar
  4. 4.
    Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of Annual Network and Distributed System Security Symposium (2007)Google Scholar
  5. 5.
    Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: Proceedings of the ACM International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)Google Scholar
  6. 6.
    Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the ACM Conference on Computer and Communications Security. ACM (2012)Google Scholar
  8. 8.
    Goguen, J., Meseguer, J.: Security policies and security models. In: Proceedings of IEEE Symposium on Security and Privacy. IEEE (1982)Google Scholar
  9. 9.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9, 410–442 (2000)CrossRefGoogle Scholar
  10. 10.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001), http://www.cs.cornell.edu/jif
  11. 11.
    Hennigan, E., Kerschbaumer, C., Brunthaler, S., Franz, M.: Tracking information flow for dynamically typed programming languages by instruction set extension. Technical report, University of California Irvine (2011)Google Scholar
  12. 12.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote javascript inclusions. In: Proceedings of the Conference on Computer and Communications Security. ACM (2012)Google Scholar
  13. 13.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the Computer Security Foundations Symposium, pp. 3–18 (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Christoph Kerschbaumer
    • 1
  • Eric Hennigan
    • 1
  • Per Larsen
    • 1
  • Stefan Brunthaler
    • 1
  • Michael Franz
    • 1
  1. 1.University of CaliforniaIrvineUSA

Personalised recommendations