Protecting privacy using the decentralized label model
ACM Transactions on Software Engineering and Methodology (TOSEM)
Information flow control for standard OS abstractions
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Making information flow explicit in HiStar
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
MashupOS: operating system abstractions for client mashups
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Securing frame communication in browsers
Communications of the ACM - One Laptop Per Child: Vision vs. Reality
Privacy-preserving browser-side scripting with BFlow
Proceedings of the 4th ACM European conference on Computer systems
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
A lattice-based approach to mashup security
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Object Capabilities and Isolation of Untrusted Web Applications
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
xBook: redesigning privacy control in social networking platforms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
VEX: vetting browser extensions for security vulnerabilities
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Securing script-based extensibility in web browsers
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
The effectiveness of application permissions
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Automated Analysis of Security-Critical JavaScript APIs
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Flexible dynamic information flow control in Haskell
Proceedings of the 4th ACM symposium on Haskell
Language-based information-flow security
IEEE Journal on Selected Areas in Communications
NordSec'11 Proceedings of the 16th Nordic conference on Information Security Technology for Applications
Information-Flow Security for a Core of JavaScript
CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
Addressing covert termination and timing channels in concurrent information flow systems
Proceedings of the 17th ACM SIGPLAN international conference on Functional programming
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
Hails: protecting data privacy in untrusted web applications
OSDI'12 Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation
| Hi-index | 0.00 |
To ensure the confidentiality and integrity of web content, modern web browsers enforce isolation between content and scripts from different domains with the same-origin policy (SOP). However, many web applications require cross-origin sharing of code and data. This conflict between isolation and sharing has led to an ad hoc implementation of the SOP that has proven vulnerable to such attacks as cross-site scripting, cross-site request forgery, and browser privacy leaks. In this paper, we argue that information flow control (IFC) not only subsumes the same-origin policy but is also more flexible and sound. IFC not only provides stronger confidentiality and integrity for today's web sites, but also better supports complex sites such as mashups, which are notoriously difficult to implement securely under the SOP.