Abstract
We present a system of first-class labels that assists web authors in assessing and diagnosing vulnerabilities in web applications, focusing their attention on flows of information specific to their application. Using first-class labels, web developers can directly manipulate labels and express security policies within JavaScript itself, leveraging their existing knowledge to improve the quality of their applications. Introducing first-class labels incurs no additional overhead over the implementation of information flow in a JavaScript Virtual Machine, making it suitable for use in a security testing environment even for applications that execute large amounts of JavaScript code.
This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contract No. D11PC20024, by the National Science Foundation (NSF) under grant No. CCF-1117162, and by a gift from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agent, the U.S. Department of the Interior, National Business Center, Acquisition Services Directorate, Sierra Vista Branch, the National Science Foundation, or any other agency of the U.S. Government.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alexa: Alexa Global Top Sites (2012), http://www.alexa.com/topsites (checked: February 2013)
Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 113–124. ACM (2009)
Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 1–12. ACM (2010)
Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaSript. In: PLDI 2009: Programming Language Design and Implementation, pp. 50–62. ACM (2009)
Denning, D.E.: A lattice model of secure information flow. Communications of the ACM, 236–243 (1976)
ECMA International: Standard ECMA-262. The ECMAScript language specification (2009), http://www.ecma-international.org/publications/standards/Ecma-262.html (checked: February 2013)
Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the Computer Security Foundations Symposium, pp. 3–18 (2012)
Hennigan, E., Kerschbaumer, C., Brunthaler, S., Franz, M.: Tracking information flow for dynamically typed programming languages by instruction set extension. Tech. rep., University of California Irvine (2011), http://ssllab.org/~nsf/files/tr_instruction_set_extension.pdf
Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: CCS 2010: Computer and Communications Security, pp. 270–283. ACM (2010)
Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: PLASTIC 2011: Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)
K.F., D.P.: XSS Attacks Information (2012), http://www.xssed.com/ (checked: February 2013)
Li, P., Zdancewic, S.: Encoding information flow in haskell. In: 19th IEEE Computer Security Foundations Workshop, p. 12. IEEE (2006)
Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In: SSP 2010: Symposium on Security and Privacy, pp. 481–496 (2010)
Mozilla Foundation: Same origin policy for JavaScript (2008), https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript (checked: February 2013)
Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001), http://www.cs.cornell.edu/jif (checked: February 2013)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 5–19 (2003)
SunSpider: SunSpider JavaScript benchmark (2012), http://www2.webkit.org/perf/sunspider-1.0/sunspider.html (checked: February 2013)
Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS 2007: Network and Distributed System Security Symposium (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hennigan, E., Kerschbaumer, C., Brunthaler, S., Larsen, P., Franz, M. (2013). First-Class Labels: Using Information Flow to Debug Security Holes. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds) Trust and Trustworthy Computing. Trust 2013. Lecture Notes in Computer Science, vol 7904. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38908-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-38908-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38907-8
Online ISBN: 978-3-642-38908-5
eBook Packages: Computer ScienceComputer Science (R0)