An Information Flow Monitor-Inlining Compiler for Securing a Core of JavaScript
نویسندگان
چکیده
Web application designers and users alike are interested in isolation properties for trusted JavaScript code in order to prevent confidential resources from being leaked to untrusted parties. Noninterference provides the mathematical foundation for reasoning precisely about the information flows that take place during the execution of a program. Due to the dynamicity of the language, research on mechanisms for enforcing noninterference in JavaScript has mostly focused on dynamic approaches. We present the first information flow monitor inlining compiler for a realistic core of JavaScript. We prove that the proposed compiler enforces termination-insensitive noninterference and we provide an implementation that illustrates its applicability.
منابع مشابه
Architectures for Inlining Security Monitors in Web Applications
Securing JavaScript in the browser is an open and challenging problem. Code from pervasive third-party JavaScript libraries exacerbates the problem because it is executed with the same privileges as the code that uses the libraries. An additional complication is that the different stakeholders have different interests in the security policies to be enforced in web applications. This paper focus...
متن کاملSpeculative Inlining of Predefined Procedures in an R5RS Scheme to C Compiler
The semantics of some dynamic programming languages, including Python, JavaScript, and R5RS Scheme, make it hard for a compiler to inline predefined procedures without compromising the semantics of the language. In the case of Scheme, many existing compilers can only achieve good execution speed by assuming that variables bound to predefined procedures are never mutated. This paper presents a s...
متن کاملEnforcing secure information flow in client-side Web applications. (Vers l'établissement du flux d'information sûr dans les applications Web côté client)
During the last decade, Web applications have evolved from static pages presented by Web servers which centralised all computations to multi-tier applications in which computations are shared between the client and the server. In addition to this, current client-side Web applications often combine code dynamically loaded from different origins to create new functionalities. As it happens, this ...
متن کاملOn-the-fly Inlining of Dynamic Security Monitors
How do we guarantee that a piece of code, possibly originating from third party, does not jeopardize the security of the underlying application? Language-based information-flow security considers programs that manipulate pieces of data at different sensitivity levels. Securing information flow in such programs remains an open challenge. Recently, considerable progress has been made on understan...
متن کاملThe Eeectiveness of Flow Analysis for Inlining
An interprocedural ow analysis can justify inlining in higher-order languages. In principle, more inlining can be performed as analysis accuracy improves. This paper compares four ow analyses to determine how eeec-tively they justify inlining in practice. The paper makes two contributions. First, the relative merits of the ow analyses are measured with all other variables held constant. The fou...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2014