Skip to main content
SpringerLink
Log in

Preventing Privacy-Violating Information Flows in JavaScript Applications Using Dynamic Labelling

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13784))

Included in the following conference series:

  • 383 Accesses

Abstract

Web browser-based applications deal with humongous user information using applications of web scripts. In particular, JavaScript applications access information through built-in browser APIs that dynamically load remote scripts and execute with the same privilege as that of the applications – usually referred to as mashup model. Unfortunately, this allows malicious JavaScripts to manipulate the given browser functionalities leading to various web attacks violating users’ privacy. Moreover, with the rapid growth of e-commerce sectors, malicious scripts pose a significant challenge to digital transactions. In this paper, we propose an approach that prevents various web-based attacks such as code injection, cross-site scripting (XSS). The approach adopts a Dynamic Labelling algorithm that generates information flow security policies automatically for local variables in JavaScript based on the given policies for sensitive variables. Unlike existing solutions that are too conservative primarily due to the generic flow policies leading to false-alarms, our solution leads to realizing conditions as to when a script accepts the parameters returned by a dynamic script; thus enabling us to build an automatic platform for preventing information flows to malicious scripts without explicit characterization by programmers or users.

S. Ghosal—Work done while the author was at Indian Institute of Technology Bombay.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ecmascript 2023 language specification. https://tc39.es/ecma262/

  2. Most popular technologies. https://insights.stackoverflow.com/survey/2020#most-popular-technologies

  3. Cross-domain security woes. the strange zen of javascript (2005). http://jszen.blogspot.com/2005/03/cross-domain-security-woes.html

  4. Defining safer json-p (2020). https://json-p.org/

  5. Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88313-5_22

  6. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN 4th Workshop on PLAS, pp. 113–124 (2009)

    Google Scholar 

  7. Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 165–178 (2012)

    Google Scholar 

  8. Barth, A.: The web origin concept. Technical report (2011)

    Google Scholar 

  9. Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: NDSS (2015)

    Google Scholar 

  10. Bedford, A., Chong, S., Desharnais, J., Kozyri, E., Tawbi, N.: A progress-sensitive flow-sensitive inlined information-flow control monitor (extended version). Comput. Secur. 71, 114–131 (2017)

    Article  Google Scholar 

  11. Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information Flow Control in WebKit’s JavaScript Bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_9

  12. Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C.-C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03542-0_16

  13. Chudnov, A., Naumann, D.A.: Inlined information flow monitoring for javascript. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 629–643 (2015)

    Google Scholar 

  14. Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62 (2009)

    Google Scholar 

  15. De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 748–759 (2012)

    Google Scholar 

  16. Denning, D.E.: A lattice model of secure information flow. CACM 19(5), 236–243 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  17. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  18. Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy, pp. 109–124. IEEE (2010)

    Google Scholar 

  19. Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)

    Google Scholar 

  20. Fenton, J.S.: Memoryless subsystems. Comput. J. 17(2), 143–147 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  21. Ghosal, S., Shyamasundar, R.K., Kumar, N.V.N.: Static security certification of programs via dynamic labelling. In: Proceedings of the 15th International Joint Conference on e-Business and Telecommunications, ICETE 2018 - Volume 2: SECRYPT, 26–28 July 2018, pp. 400–411 Porto, Portugal (2018)

    Google Scholar 

  22. Ghosal, S., Shyamasundar, R., Kumar, N.N.: Compile-time security certification of imperative programming languages. In: Obaidat, M.S. (ed.) ICETE 2018. CCIS, vol. 1118, pp. 159–182. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34866-3_8

  23. Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy, pp. 11–11. IEEE (1982)

    Google Scholar 

  24. Graf, J., Hecker, M., Mohr, M.: Using joana for information flow control in java programs - a practical guide. In: Proceedings of the 6th Working Conference on Programming Languages (ATPS 2013). LNI, vol. 215, pp. 123–138. Springer, Berlin (2013)

    Google Scholar 

  25. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: Jsflow: tracking information flow in javascript and its apis. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671 (2014)

    Google Scholar 

  26. Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: Computer Security Foundations Symposium (CSF), 2012 IEEE 25th, pp. 3–18. IEEE (2012)

    Google Scholar 

  27. Hicks, B., Ahmadizadeh, K., McDaniel, P.: From languages to systems: Understanding practical application development in security-typed languages. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 153–164. IEEE (2006)

    Google Scholar 

  28. Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in javascript web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 270–283 (2010)

    Google Scholar 

  29. Jang, D., Jhala, R., Lerner, S., Shacham, H.: Rewriting-based dynamic information flow for javascript. In: 17th ACM Conference on Computer and Communications Security (2010)

    Google Scholar 

  30. Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for javascript. In: Proceedings of the 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9–18 (2011)

    Google Scholar 

  31. King, D., Jha, S., Jaeger, T., Jha, S., Seshia, S.A.: On automatic placement of declassifiers for information-flow security. Technical report, Technical Report NASTR-0083-2007, Network and Security Research Center (2007)

    Google Scholar 

  32. Kumar, N.V.N., Shyamasundar, R.: A complete generative label model for lattice-based access control models. In: Cimatti, A., Sirjani, M. (eds.) SEFM 2017. LNCS, vol. 10469, pp. 35–53. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66197-1_3

  33. Mitropoulos, D., Louridas, P., Salis, V., Spinellis, D.: Time present and time past: analyzing the evolution of javascript code in the wild. In: 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR), pp. 126–137. IEEE (2019)

    Google Scholar 

  34. Moore, S., Askarov, A., Chong, S.: Precise enforcement of progress-sensitive security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 881–893. ACM (2012)

    Google Scholar 

  35. Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control, vol. 31. ACM (1997)

    Google Scholar 

  36. Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Software Eng. Methodol. 9(4), 410–442 (2000)

    Article  Google Scholar 

  37. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: java information flow (2001). http://www.cs.cornell.edu/jif

  38. Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS 2007). Citeseer (2007)

    Google Scholar 

  39. Ngo, M., Bielova, N., Flanagan, C., Rezk, T., Russo, A., Schmitz, T.: A better facet of dynamic information flow control. In: Companion Proceedings of the The Web Conference 2018, pp. 731–739 (2018)

    Google Scholar 

  40. Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: 2010 23rd IEEE Computer Security Foundations Symposium, pp. 186–199. IEEE (2010)

    Google Scholar 

  41. Ryan, P., McLean, J., Millen, J., Gligor, V.: Non-interference: who needs it? In: CSFW, p. 0237. IEEE (2001)

    Google Scholar 

  42. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas Commun. 21(1), 5–19 (2003)

    Article  Google Scholar 

  43. Sabelfeld, A., Myers, A.C.: A Model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-37621-7_9

  44. Staicu, C.A., Schoepe, D., Balliu, M., Pradel, M., Sabelfeld, A.: An empirical study of information flows in real-world javascript. In: Proceedings of the 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security, pp. 45–59 (2019)

    Google Scholar 

  45. Van Kesteren, A., et al.: Cross-origin resource sharing. W3C Working Draft WD-cors-20100727, latest version available at\(<\) (2010). http://www.w3.org/TR/cors (2010)

  46. Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2–3), 167–187 (1996)

    Article  Google Scholar 

  47. Volpano, D., Smith, G.: Eliminating covert flows with minimum typings. In: Proceedings 10th Computer Security Foundations Workshop, pp. 156–168. IEEE (1997)

    Google Scholar 

  48. Yang, E., Stefan, D., Mitchell, J., Mazières, D., Marchenko, P., Karp, B.: Toward principled browser security. In: 14th Workshop on Hot Topics in Operating Systems (HotOS XIV) (2013)

    Google Scholar 

  49. Zalewski, M.: Browser security handbook. Google Code (2010)

    Google Scholar 

  50. Zdancewic, S.A., Myers, A.: Programming Languages for Information Security. Cornell University (2002)

    Google Scholar 

  51. Zdancewic, S.: A type system for robust declassification. Electron. Notes Theoretical Comput. Sci. 83, 263–277 (2003)

    Article  MATH  Google Scholar 

  52. Zdancewic, S., Myers, A.C.: Robust declassification. CSFW. 1, 15–23 (2001)

    Google Scholar 

  53. Zheng, L., Myers, A.C.: Dynamic security labels and static information flow control. Int. J. Inform. Secur. 6(2–3), 67–84 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Technology, Uppsala University, Uppsala, Sweden

    Sandip Ghosal

  2. Department of Computer Science and Engineering, Indian Institute of Technology Bombay, Mumbai, India

    R. K. Shyamasundar

Authors
  1. Sandip Ghosal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. K. Shyamasundar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sandip Ghosal .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Tirupati, Tirupati, India

    Venkata Ramana Badarla

  2. CSIRO Data61, Sydney, NSW, Australia

    Surya Nepal

  3. Indian Institute of Technology Bombay, Mumbai, Maharashtra, India

    Rudrapatna K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ghosal, S., Shyamasundar, R.K. (2022). Preventing Privacy-Violating Information Flows in JavaScript Applications Using Dynamic Labelling. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-23690-7_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-23689-1

  • Online ISBN: 978-3-031-23690-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation