JFlow: practical mostly-static information flow control
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Certification of programs for secure information flow
Communications of the ACM
Protecting privacy using the decentralized label model
ACM Transactions on Software Engineering and Methodology (TOSEM)
Efficient implementation of the smalltalk-80 system
POPL '84 Proceedings of the 11th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
A brief history of just-in-time
ACM Computing Surveys (CSUR)
Programming languages for information security
Programming languages for information security
A General Dynamic Information Flow Tracking Framework for Security Applications
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Dynamic multi-process information flow tracking for web application security
Proceedings of the 2007 ACM/IFIP/USENIX international conference on Middleware companion
Secure Web Browsing with the OP Web Browser
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Preventing Information Leaks through Shadow Executions
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Staged information flow for javascript
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Trace-based just-in-time type specialization for dynamic languages
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Efficient purely-dynamic information flow analysis
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
Analyzing Information Flow in JavaScript-Based Browser Extensions
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Permissive dynamic information flow analysis
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Noninterference through Secure Multi-execution
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
An empirical study of privacy-violating information flows in JavaScript web applications
Proceedings of the 17th ACM conference on Computer and communications security
ECOOP'10 Proceedings of the 24th European conference on Object-oriented programming
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Information flow analysis for javascript
Proceedings of the 1st ACM SIGPLAN international workshop on Programming language and systems technologies for internet clients
Multiple facets for dynamic information flow
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Fast and precise hybrid type inference for JavaScript
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Language-based information-flow security
IEEE Journal on Selected Areas in Communications
Tracking the trackers: fast and scalable dynamic analysis of web content for privacy violations
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Information-Flow Security for a Core of JavaScript
CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
| Hi-index | 0.00 |
Web applications are vulnerable to cross-site scripting attacks that enable data thefts. Information flow tracking in web browsers can prevent communication of sensitive data to unintended recipients and thereby stop such data thefts. Unfortunately, existing solutions have focused on incorporating information flow into browsers’ JavaScript interpreters, rather than just-in-time compilers, rendering the resulting performance noncompetitive. Few users will switch to a safer browser if it comes at the cost of significantly degrading web application performance. We present the first information flow tracking JavaScript engine that is based on a true just-in-time compiler, and that thereby outperforms all previous interpreter-based information flow tracking JavaScript engines by more than a factor of two. Our JIT-based engine (i) has the same coverage as previous interpreter- based solutions, (ii) requires reasonable implementation effort, and (iii) introduces new optimizations to achieve acceptable performance. When evaluated against three industry-standard JavaScript benchmark suites, there is still an average slowdown of 73% over engines that do not support information flow, but this is now well within the range that many users will find an acceptable price for obtaining substantially increased security.