skip to main content
10.1145/2554850.2554909acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

JSFlow: tracking information flow in JavaScript and its APIs

Published: 24 March 2014 Publication History

Abstract

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Such code provides a range of facilities from helper utilities (such as jQuery) to readily available services (such as Google Analytics and Tynt). Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy.
This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing information-flow policies for the full JavaScript language, as well as tracking information in the presence of libraries, as provided by browser APIs. The interpreter is itself written in JavaScript, which enables deployment as a browser extension. Our experiments with the extension provide in-depth understanding of information manipulation by third-party scripts such as Google Analytics. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

References

[1]
Agten, P., Acker, S. V., Brondsema, Y., Phung, P. H., Desmet, L., and Piessens, F. JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In ACSAC (2012), R. H. Zakon, Ed., ACM, pp. 1--10.
[2]
Askarov, A., Hunt, S., Sabelfeld, A., and Sands, D. Termination-insensitive noninterference leaks more than just a bit. In Proc. ESORICS (Oct. 2008), vol. 5283 of LNCS, Springer-Verlag, pp. 333--348.
[3]
Austin, T. H., and Flanagan, C. Efficient purely-dynamic information flow analysis. In Proc. ACM PLAS (June 2009).
[4]
Bandhakavi, S., Tiku, N., Pittman, W., King, S. T., Madhusudan, P., and Winslett, M. Vetting browser extensions for security vulnerabilities with vex. Commun. ACM 54, 9 (2011), 91--99.
[5]
Birgisson, A., Hedin, D., and Sabelfeld, A. Boosting the permissiveness of dynamic information-flow tracking by testing. In ESORICS (2012), S. Foresti, M. Yung, and F. Martinelli, Eds., vol. 7459 of Lecture Notes in Computer Science, Springer, pp. 55--72.
[6]
Chugh, R., Meister, J. A., Jhala, R., and Lerner, S. Staged information flow for JavasCript. In PLDI (2009), M. Hind and A. Diwan, Eds., ACM, pp. 50--62.
[7]
Crockford, D. Making JavaScript Safe for Advertising. adsafe.org, 2009.
[8]
Devriese, D., and Piessens, F. Non-interference through secure multi-execution. In SSP (May 2010).
[9]
Dhawan, M., and Ganapathy, V. Analyzing information flow in javascript-based browser extensions. In ACSAC (2009), IEEE Computer Society, pp. 382--391.
[10]
ECMA International. ECMAScript Language Specification, 2009. Version 5.
[11]
Eich, B. Flowsafe: Information flow security for the browser. https://wiki.mozilla.org/FlowSafe, Oct. 2009.
[12]
Groef, W. D., Devriese, D., Nikiforakis, N., and Piessens, F. Flowfox: a web browser with flexible and precise information flow control. In ACM CCS (2012).
[13]
Guarnieri, S., and Livshits, B. Gatekeeper: mostly static enforcement of security and reliability policies for javascript code. In Proc. USENIX security (USA, 2009), SSYM'09, USENIX Association.
[14]
Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., and Berg, R. Saving the world wide web from vulnerable JavaScript. In ISSTA (2011), M. B. Dwyer and F. Tip, Eds., ACM, pp. 177--187.
[15]
Hedin, D., Bello, L., Birgisson, A., and Sabelfeld, A. JSFlow. Software release. Located at http://chalmerslbs.bitbucket.org/jsflow, Sept. 2013.
[16]
Hedin, D., and Sabelfeld, A. Information-flow security for a core of JavaScript. In Proc. IEEE CSF (June 2012), pp. 3--18.
[17]
Hors, A. L., and Hegaret, P. L. Document Object Model Level 3 Core Specification. Tech. rep., The World Wide Web Consortium, 2004.
[18]
Jang, D., Jhala, R., Lerner, S., and Shacham, H. An empirical study of privacy-violating information flows in JavaScript web applications. In ACM CCS (Oct. 2010), pp. 270--283.
[19]
Joyent, Inc. Node.js. http://nodejs.org/.
[20]
Just, S., Cleary, A., Shirley, B., and Hammer, C. Information Flow Analysis for JavaScript. In Proc. ACM PLASTIC (USA, 2011), ACM, pp. 9--18.
[21]
Landi, W. Undecidability of static analysis. ACM LOPLAS 1, 4 (Dec. 1992), 323--337.
[22]
Le Guernic, G., Banerjee, A., Jensen, T., and Schmidt, D. Automata-based confidentiality monitoring. In Proc. ASIAN (2006), vol. 4435 of LNCS, Springer-Verlag.
[23]
Li, Z., Zhang, K., and Wang, X. Mash-IF: Practical information-flow control within client-side mashups. In DSN (2010), pp. 251--260.
[24]
Magazinius, J., Askarov, A., and Sabelfeld, A. A lattice-based approach to mashup security. In Proc. ACM ASIACCS (Apr. 2010).
[25]
Magazinius, J., Hedin, D., and Sabelfeld, A. Architectures for inlining security monitors in web applications. In ESSoS (2014), Lecture Notes in Computer Science, Springer.
[26]
Mayer, J. R., and Mitchell, J. C. Third-party web tracking: Policy and technology. In IEEE SP (2012), IEEE Computer Society, pp. 413--427.
[27]
Meyerovich, L. A., and Livshits, V. B. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In IEEE SP (2010), IEEE Computer Society, pp. 481--496.
[28]
Miller, M., Samuel, M., Laurie, B., Awad, I., and Stay, M. Caja: Safe active content in sanitized JavaScript, 2008.
[29]
Mozilla Developer Network. SpiderMonkey -- Running Automated JavaScript Tests. https://developer.mozilla.org/en-US/docs/SpiderMonkey/Running_Automated_JavaScript_Tests, 2011.
[30]
Mozilla Labs. Zaphod add-on for the Firefox browser. http://mozillalabs.com/zaphod, 2011.
[31]
Myers, A. C., Zheng, L., Zdancewic, S., Chong, S., and Nystrom, N. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.
[32]
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. You are what you include: large-scale evaluation of remote javascript inclusions. In ACM CCS (Oct. 2012), pp. 736--747.
[33]
Rafnsson, W., and Sabelfeld, A. Limiting information leakage in event-based communication. In Proc. ACM PLAS (USA, 2011), ACM, pp. 4:1--4:16.
[34]
Russo, A., and Sabelfeld, A. Dynamic vs. static flow-sensitive security analysis. In Proc. IEEE CSF (July 2010), pp. 186--199.
[35]
Ryck, P. D., Decat, M., Desmet, L., Piessens, F., and Joose, W. Security of web mashups: a survey. In NORDSEC (2010), LNCS.
[36]
Sabelfeld, A., and Myers, A. C. Language-based information-flow security. IEEE J. Selected Areas in Communications 21, 1 (Jan. 2003), 5--19.
[37]
Saltzer, J. H., and Schroeder, M. D. The protection of information in computer systems. Proc. of the IEEE 63, 9 (Sept. 1975), 1278--1308.
[38]
Taly, A., Erlingsson, U., Miller, M., Mitchell, J., and Nagra, J. Automated analysis of security-critical JavaScript APIs. In Proc. IEEE SP (May 2011).
[39]
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. NDSS (Feb. 2007).
[40]
Volpano, D., Smith, G., and Irvine, C. A sound type system for secure flow analysis. J. Computer Security 4, 3 (1996), 167--187.
[41]
Yang, E., Stefan, D., Mitchell, J., Mazières, D., Marchenko, P., and Karp, B. Toward principled browser security. In Proc. HotOS (2013).
[42]
Yip, A., Narula, N., Krohn, M., and Morris, R. Privacy-preserving browser-side scripting with bflow. In EuroSys (USA, 2009), ACM, pp. 233--246.
[43]
Zdancewic, S. Programming Languages for Information Security. PhD thesis, Cornell University, July 2002.

Cited By

View all
  • (2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
  • (2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
  • (2024)PanoptiChrome: A Modern In-browser Taint Analysis FrameworkProceedings of the ACM Web Conference 202410.1145/3589334.3645699(1914-1922)Online publication date: 13-May-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAC '14: Proceedings of the 29th Annual ACM Symposium on Applied Computing
March 2014
1890 pages
ISBN:9781450324694
DOI:10.1145/2554850
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 March 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. JavaScript
  2. dynamic analysis
  3. information flow

Qualifiers

  • Research-article

Funding Sources

Conference

SAC 2014
Sponsor:
SAC 2014: Symposium on Applied Computing
March 24 - 28, 2014
Gyeongju, Republic of Korea

Acceptance Rates

SAC '14 Paper Acceptance Rate 218 of 939 submissions, 23%;
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25
The 40th ACM/SIGAPP Symposium on Applied Computing
March 31 - April 4, 2025
Catania , Italy

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)61
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
  • (2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
  • (2024)PanoptiChrome: A Modern In-browser Taint Analysis FrameworkProceedings of the ACM Web Conference 202410.1145/3589334.3645699(1914-1922)Online publication date: 13-May-2024
  • (2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.347928850:12(3225-3248)Online publication date: 1-Dec-2024
  • (2024)Information flow control for comparative privacy analysesInternational Journal of Information Security10.1007/s10207-024-00886-023:5(3199-3216)Online publication date: 1-Oct-2024
  • (2023)An Empirical Analysis of Web Storage and Its Applications to Web TrackingACM Transactions on the Web10.1145/362338218:1(1-28)Online publication date: 11-Oct-2023
  • (2023)Fine-Grained Data-Centric Content Protection Policy for Web ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623217(2845-2859)Online publication date: 15-Nov-2023
  • (2023)CookieGraph: Understanding and Detecting First-Party Tracking CookiesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616586(3490-3504)Online publication date: 15-Nov-2023
  • (2023)Pervasive Micro Information Flow TrackingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323854720:6(4957-4975)Online publication date: Nov-2023
  • (2023)BFTDETECTOR: Automatic Detection of Business Flow Tampering for Digital Content Service2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00048(448-459)Online publication date: May-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media