Using program dependence graphs for information flow control
Journal of Systems and Software
ACM Transactions on Information and System Security (TISSEC)
A fast algorithm for finding dominators in a flowgraph
ACM Transactions on Programming Languages and Systems (TOPLAS)
Slicing java programs that throw and catch exceptions
Proceedings of the 2003 ACM SIGPLAN workshop on Partial evaluation and semantics-based program manipulation
Programming languages for information security
Programming languages for information security
Software—Practice & Experience
On flow-sensitive security types
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Efficient online detection of dynamic control dependence
Proceedings of the 2007 international symposium on Software testing and analysis
Staged information flow for javascript
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Efficient purely-dynamic information flow analysis
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
Tight Enforcement of Information-Release Policies for Dynamic Languages
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Analyzing Information Flow in JavaScript-Based Browser Extensions
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Permissive dynamic information flow analysis
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Dynamic vs. Static Flow-Sensitive Security Analysis
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
From dynamic to static and back: riding the roller coaster of information-flow control research
PSI'09 Proceedings of the 7th international Andrei Ershov Memorial conference on Perspectives of Systems Informatics
Type-based dependency analysis for javascript
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Efficient dynamic access analysis using JavaScript proxies
Proceedings of the 9th symposium on Dynamic languages
Security Signature Inference for JavaScript-based Browser Addons
Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization
Information flow tracking meets just-in-time compilation
ACM Transactions on Architecture and Code Optimization (TACO)
| Hi-index | 0.00 |
Modern Web 2.0 pages combine scripts from several sources into a single client-side JavaScript program with almost no isolation. In order to prevent attacks from an untrusted third-party script or cross-site scripting, tracking provenance of data is imperative. However, no browser offers this security mechanism. This work presents the first information flow control mechanism for full JavaScript. We track information flow dynamically as much as possible but rely on intra-procedural static analysis to capture implicit flow. Our analysis handles even the dreaded eval function soundly and incorporates flow based on JavaScript's prototype inheritance. We implemented our analysis in a production JavaScript engine and report both qualitative as well as quantitative evaluation results.