Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language
Secure integration of third-party code is one of the prime challenges for securing today's web. Recent empirical studies give evidence of pervasive reliance on and excessive trust in third-party JavaScript, with no adequate security mechanism to limit the trust or the extent of its abuse. Infor...
Saved in:
| Published in: | Proceedings - Computer Security Foundations Workshop pp. 351 - 365 |
|---|---|
| Main Authors: | , , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
01.01.2015
|
| Subjects: | |
| ISSN: | 1063-6900 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Secure integration of third-party code is one of the prime challenges for securing today's web. Recent empirical studies give evidence of pervasive reliance on and excessive trust in third-party JavaScript, with no adequate security mechanism to limit the trust or the extent of its abuse. Information flow control is a promising approach for controlling the behavior of third-party code and enforcing confidentiality and integrity policies. While much progress has been made on static and dynamic approaches to information flow control, only recently their combinations have received attention. Purely static analysis falls short of addressing dynamic language features such as dynamic objects and dynamic code evaluation, while purely dynamic analysis suffers from inability to predict side effects in non-performed executions. This paper develops a value-sensitive hybrid mechanism for tracking information flow in a JavaScript-like language. The mechanism consists of a dynamic monitor empowered to invoke a static component on the fly. This enables us to achieve a sound yet permissive enforcement. We establish formal soundness results with respect to the security policy of non-interference. In addition, we demonstrate permissiveness by proving that we subsume the precision of purely static analysis and by presenting a collection of common programming patterns that indicate that our mechanism has potential to provide more permissiveness than dynamic mechanisms in practice. |
|---|---|
| AbstractList | Secure integration of third-party code is one of the prime challenges for securing today's web. Recent empirical studies give evidence of pervasive reliance on and excessive trust in third-party JavaScript, with no adequate security mechanism to limit the trust or the extent of its abuse. Information flow control is a promising approach for controlling the behavior of third-party code and enforcing confidentiality and integrity policies. While much progress has been made on static and dynamic approaches to information flow control, only recently their combinations have received attention. Purely static analysis falls short of addressing dynamic language features such as dynamic objects and dynamic code evaluation, while purely dynamic analysis suffers from inability to predict side effects in non-performed executions. This paper develops a value-sensitive hybrid mechanism for tracking information flow in a JavaScript-like language. The mechanism consists of a dynamic monitor empowered to invoke a static component on the fly. This enables us to achieve a sound yet permissive enforcement. We establish formal soundness results with respect to the security policy of non-interference. In addition, we demonstrate permissiveness by proving that we subsume the precision of purely static analysis and by presenting a collection of common programming patterns that indicate that our mechanism has potential to provide more permissiveness than dynamic mechanisms in practice. |
| Author | Bello, Luciano Hedin, Daniel Sabelfeld, Andrei |
| Author_xml | – sequence: 1 givenname: Daniel surname: Hedin fullname: Hedin, Daniel organization: Malardalen Univ., Västerås, Sweden – sequence: 2 givenname: Luciano surname: Bello fullname: Bello, Luciano organization: Chalmers Univ. of Technol., Gothenburg, Sweden – sequence: 3 givenname: Andrei surname: Sabelfeld fullname: Sabelfeld, Andrei organization: Chalmers Univ. of Technol., Gothenburg, Sweden |
| BookMark | eNotjE9LwzAcQCNMcJs7efSSL5CaX_61PUqxblL0UPU60uaXEezS0XaTffsN9PTg8XgLMot9REIegCcAPH8q6jIRHHQi4YYsQJlUplpmMCNz4EYyk3N-R1bjGBquslSDyGBO3r9td0RWYxzDFE5I1-dmCI5uou-HvZ1CH2nZ9b-06OM09B29amrpmz3Zuh3CYWJV-EFa2bg72h3ek1tvuxFX_1ySr_Lls1iz6uN1UzxXLMgcJiacyY3zShvdSq-Fd7w1mYNGCrTg29RlEgTnxqIAhdqihGvuslx4UC3KJXn8-wZE3B6GsLfDeZsKJVOl5AUhXU8b |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/CSF.2015.31 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 1467375381 9781467375382 |
| EndPage | 365 |
| ExternalDocumentID | 7243744 |
| Genre | orig-research |
| GroupedDBID | 29G 29N 29O 6IE 6IK 6IL AAJGR ALMA_UNASSIGNED_HOLDINGS CBEJK IPLJI M43 RIE RIL RNS |
| ID | FETCH-LOGICAL-i391t-2d696df4565c3f52fd0c68d1b32ea1fc7d8312006ae214e5ae31df4d892f14ce3 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 17 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000380428500024&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| ISSN | 1063-6900 |
| IngestDate | Wed Aug 27 02:46:42 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i391t-2d696df4565c3f52fd0c68d1b32ea1fc7d8312006ae214e5ae31df4d892f14ce3 |
| PageCount | 15 |
| ParticipantIDs | ieee_primary_7243744 |
| PublicationCentury | 2000 |
| PublicationDate | 2015-01-01 |
| PublicationDateYYYYMMDD | 2015-01-01 |
| PublicationDate_xml | – month: 01 year: 2015 text: 2015-01-01 day: 01 |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings - Computer Security Foundations Workshop |
| PublicationTitleAbbrev | CSF |
| PublicationYear | 2015 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssib048751281 ssj0019972 |
| Score | 1.6852273 |
| Snippet | Secure integration of third-party code is one of the prime challenges for securing today's web. Recent empirical studies give evidence of pervasive reliance on... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 351 |
| SubjectTerms | Context information flow language-based security Monitoring Performance analysis Reactive power Runtime Security Semantics |
| Title | Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language |
| URI | https://ieeexplore.ieee.org/document/7243744 |
| WOSCitedRecordID | wos000380428500024&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NTwIxEG2AePCECsbv9ODRwrZdtt0zcUMMISSo4Ua67TQhEjAIGP-9nd0FPXjx1jQ9NDPtzHRmXh8h9yocgkS5lEXWaBbif8lyawQziQ4WWRtIvSnIJtRopKfTdFwjDwcsDAAUzWfQwWFRy3cru8VUWVfh73lxXCd1pZISq7U_Oxh3Y1HoUEFAQGhR6UwkCy_AqMLm8Sjt9icZ9nT1Osgs94tTpXApWfN_mzkh7R9sHh0fvM4pqcHyjDT35Ay0uqstMno1iy2wCTaoo0mjgy8EZ9EKf4T6oNli9Un7ZbM6DdPU0CezM5PCkrDh_A3osMpntslL9vjcH7CKPIHNZco3TLgkTZzHgM1K3xPeRTbRjudSgOHeKqclx3yCAcFj6BmQPCx3OhWexxbkOWksV0u4IFQ4l0vprXc-CtFVlAsF4KUWea5MZMwlaaF4Zu_l_xizSjJXf09fk2MUfpnGuCGNzXoLt-TI7jbzj_VdodRvO7qiIA |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LTwIxEG4QTfSECsa3PXi00Mc-umfiBnXdkICGG-m204RIwCBg_Pdudxf04MVb0_TQzLQz05n5-iF0G-aHIAhNRKhWkuTxvyCZVpyoQOYWWSqIrCrIJsI0laNR1K-huy0WBgCK5jNou2FRyzdzvXKpsk7ofs_zvB2063sepyVaa3N6XOTtykLbGoKDhBa1zkCQ_A1IK3Qeo1GnO4hdV5ffdtxyv1hVCqcSN_63nUPU-kHn4f7W7xyhGsyOUWNDz4Cr29pE6auaroAMXIu6M2q49-XgWbhCIDmN4Hg6_8Tdsl0d59NY4Ue1VoPClpBk8gY4qTKaLfQS3w-7PVLRJ5CJiNiScBNEgbEuZNPC-twaqgNpWCY4KGZ1aKRgLqOggDMPfAWC5cuNjLhlngZxguqz-QxOEebGZEJYbY2leXxFMx4CWCF5loWKKnWGmk484_fyh4xxJZnzv6dv0H5v-JyMk4f06QIdOEWUSY1LVF8uVnCF9vR6OflYXBcK_gbbZaVn |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=proceeding&rft.title=Proceedings+-+Computer+Security+Foundations+Workshop&rft.atitle=Value-Sensitive+Hybrid+Information+Flow+Control+for+a+JavaScript-Like+Language&rft.au=Hedin%2C+Daniel&rft.au=Bello%2C+Luciano&rft.au=Sabelfeld%2C+Andrei&rft.date=2015-01-01&rft.pub=IEEE&rft.issn=1063-6900&rft.spage=351&rft.epage=365&rft_id=info:doi/10.1109%2FCSF.2015.31&rft.externalDocID=7243744 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1063-6900&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1063-6900&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1063-6900&client=summon |