Abstract
Web-browser security with emphasis on JavaScript security, is one of the important problems of the modern world. The potency of information flow control (IFC) in the context of JavaScript is quite appealing. In this paper, we adopt an earlier technique, Address Split Design (ASD), proposed by Deepak et al. [12]. We propose an alternate data-structure to the dictionaries used in ASD to keep track of secret variables. We also propose a novel approach to help track and learn from information flows. This learnt data can subsequently be used to create a more adaptive and effective IFC model. As the information about a function augments, potential leaks are also thwarted. Using such an approach, we show that more rigid security guarantees can be achieved eventually with increase in learnt data.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-Insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88313-5_22
Austin, T.: Dynamic information flow analysis for Javascript in a web browser. Ph.D. thesis, University of California, Santa Cruz (2013)
Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. ACM SIGPLAN Not. 44(8), 20 (2009)
Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. Technical report, DTIC.MIL (1973)
Biba, K.J.: Integrity Considerations for Secure Computer Systems. Technical report, The Mitre Corporation (1975)
Bielova, N.: Survey on JavaScript security policies and their enforcement mechanisms in a web browser. J. Logic Algebraic Program. 82(8), 243–262 (2013)
Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy, pp. 109–124 (2010)
Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 748–759. ACM, Raleigh, North Carolina, USA (2012)
Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 3–18. IEEE, June 2012
Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: Exploring a new approach. In: 2011 IEEE Symposium on Security and Privacy, pp. 413–428. IEEE, May 2011
Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Subramanian, D., Hiet, G., Bidan, C.: Preventive information flow control through a mechanism of split addresses. In: 2016 ACM 9th International Conference on Security of Information and Networks. ACM, July 2016
Acknowledgments
This work has received a French government support granted to the COMIN Labs excellence laboratory and managed by the National Research Agency in the “Investing for the Future” program under reference ANR-10-LABX-07-01.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Subramanian, D., Hiet, G., Bidan, C. (2017). A Self-correcting Information Flow Control Model for the Web-Browser. In: Cuppens, F., Wang, L., Cuppens-Boulahia, N., Tawbi, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2016. Lecture Notes in Computer Science(), vol 10128. Springer, Cham. https://doi.org/10.1007/978-3-319-51966-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-51966-1_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-51965-4
Online ISBN: 978-3-319-51966-1
eBook Packages: Computer ScienceComputer Science (R0)