Dynamic Information Flow Analysis for Featherweight JavaScript Technical Report #UCSC-SOE-11-19
نویسندگان
چکیده
Although JavaScript is an important part of Web 2.0, it has historically been a major source of security holes. Code from malicious advertisers and cross-site-scripting (XSS) attacks are particularly pervasive problems. In this paper, we explore dynamic information flow to prevent the loss of confidential information from malicious JavaScript code. In particular, we extend prior dynamic information flow techniques to deal with the many complexities of JavaScript, including mutable and extensible objects and arrays, dynamic prototype chains for field and method inheritance, functions with implicit this arguments that are also used as methods and constructors, etc. We formally verify that our extended dynamic analysis provides termination-insensitive non-interference.
منابع مشابه
Permissive Dynamic Information Flow Analysis Technical Report #UCSC-SOE-09-34
A key challenge in dynamic information flow analysis is handling implicit flows, where code conditional on a private variable updates a public variable x. The naive approach of upgrading x to private results in x being partially-leaked, where its value contains private data but its label may be either private (on this execution) or public (on an alternative execution where the conditional updat...
متن کاملThe Effect of VSIDS on SAT Solver Performance Technical Report UCSC-SOE-09-21
VSIDS, a popular decision heuristic introduced in CHAFF, is compared against several simple heuristics to evaluate its effectiveness on a given set of benchmarks.
متن کاملRedCard: Redundant Check Elimination For Dynamic Race Detectors Technical Report UCSC-SOE-13-05∗
Precise dynamic race detectors report an error if and only if an observed program trace exhibits a data race. They must typically check for races on all memory accesses to ensure that they catch all races and generate no spurious warnings. However, a race check for a particular memory access is guaranteed to be redundant if the accessing thread has already accessed that location within the same...
متن کاملHybrid Typing of Secure Information Flow in a JavaScript-Like Language
As JavaScript is highly dynamic by nature, static information flow analyses are often too coarse to deal with the dynamic constructs of the language. To cope with this challenge, we present and prove the soundness of a new hybrid typing analysis for securing information flow in a JavaScript-like language. Our analysis combines static and dynamic typing in order to avoid rejecting programs due t...
متن کاملDynamic Information Flow Labeling in Javascript
Clientside scripting languages such as JavaScript are ubiquitous in modern, internet-connected computing, but pose a definite security risk to those who allow their execution. The widespread inclusion of thirdparty scripts into major websites increases the risks of malicious scripts interfering with the desired behavior of a page, and consequently decreases the level of security available to we...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2011