Dynamic Information Flow Labeling in Javascript

Clientside scripting languages such as JavaScript are ubiquitous in modern, internet-connected computing, but pose a definite security risk to those who allow their execution. The widespread inclusion of thirdparty scripts into major websites increases the risks of malicious scripts interfering with the desired behavior of a page, and consequently decreases the level of security available to web users. While a variety of security mechanisms do exist in current browser environments (e.g. the “same origin policy”, SSL certificates, etc.) these approaches often lack the flexibility necessary to cope with real-world threats. Furthermore, these measures fail to fully account for subtle threats posed by JavaScript, such as unwanted information access, as in cross-site request forgery (CSRF) and cross-site scripting (XSS). Recent academic attention focusses on increasing the security of JavaScript, either by reducing its functionality (for example Facebook JavaScript (FBJS) or Google’s Caja) or by augmenting the execution environment. The latter can take a wide variety of forms (viz. Section 2) This paper presents a novel approach to instrumenting a JavaScript interpreter, using a hybrid of static and dynamic approaches to label values during the course of execution. Our work dynamically tracks direct information flow during execution, as well as utilizing static analysis to support dynamic context tracking for intraand inter-procedural implicit information flow tracking. Furthermore, this flow tracking handles complex features of JavaScript that have caused issues in the past, such as eval [viz. 5] and dynamic dispatch on a prototype chain.