Abstract
Web browser-based applications deal with humongous user information using applications of web scripts. In particular, JavaScript applications access information through built-in browser APIs that dynamically load remote scripts and execute with the same privilege as that of the applications – usually referred to as mashup model. Unfortunately, this allows malicious JavaScripts to manipulate the given browser functionalities leading to various web attacks violating users’ privacy. Moreover, with the rapid growth of e-commerce sectors, malicious scripts pose a significant challenge to digital transactions. In this paper, we propose an approach that prevents various web-based attacks such as code injection, cross-site scripting (XSS). The approach adopts a Dynamic Labelling algorithm that generates information flow security policies automatically for local variables in JavaScript based on the given policies for sensitive variables. Unlike existing solutions that are too conservative primarily due to the generic flow policies leading to false-alarms, our solution leads to realizing conditions as to when a script accepts the parameters returned by a dynamic script; thus enabling us to build an automatic platform for preventing information flows to malicious scripts without explicit characterization by programmers or users.
S. Ghosal—Work done while the author was at Indian Institute of Technology Bombay.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ecmascript 2023 language specification. https://tc39.es/ecma262/
Most popular technologies. https://insights.stackoverflow.com/survey/2020#most-popular-technologies
Cross-domain security woes. the strange zen of javascript (2005). http://jszen.blogspot.com/2005/03/cross-domain-security-woes.html
Defining safer json-p (2020). https://json-p.org/
Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88313-5_22
Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN 4th Workshop on PLAS, pp. 113–124 (2009)
Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 165–178 (2012)
Barth, A.: The web origin concept. Technical report (2011)
Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: NDSS (2015)
Bedford, A., Chong, S., Desharnais, J., Kozyri, E., Tawbi, N.: A progress-sensitive flow-sensitive inlined information-flow control monitor (extended version). Comput. Secur. 71, 114–131 (2017)
Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information Flow Control in WebKit’s JavaScript Bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_9
Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C.-C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03542-0_16
Chudnov, A., Naumann, D.A.: Inlined information flow monitoring for javascript. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 629–643 (2015)
Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62 (2009)
De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 748–759 (2012)
Denning, D.E.: A lattice model of secure information flow. CACM 19(5), 236–243 (1976)
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)
Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy, pp. 109–124. IEEE (2010)
Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)
Fenton, J.S.: Memoryless subsystems. Comput. J. 17(2), 143–147 (1974)
Ghosal, S., Shyamasundar, R.K., Kumar, N.V.N.: Static security certification of programs via dynamic labelling. In: Proceedings of the 15th International Joint Conference on e-Business and Telecommunications, ICETE 2018 - Volume 2: SECRYPT, 26–28 July 2018, pp. 400–411 Porto, Portugal (2018)
Ghosal, S., Shyamasundar, R., Kumar, N.N.: Compile-time security certification of imperative programming languages. In: Obaidat, M.S. (ed.) ICETE 2018. CCIS, vol. 1118, pp. 159–182. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34866-3_8
Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy, pp. 11–11. IEEE (1982)
Graf, J., Hecker, M., Mohr, M.: Using joana for information flow control in java programs - a practical guide. In: Proceedings of the 6th Working Conference on Programming Languages (ATPS 2013). LNI, vol. 215, pp. 123–138. Springer, Berlin (2013)
Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: Jsflow: tracking information flow in javascript and its apis. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671 (2014)
Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: Computer Security Foundations Symposium (CSF), 2012 IEEE 25th, pp. 3–18. IEEE (2012)
Hicks, B., Ahmadizadeh, K., McDaniel, P.: From languages to systems: Understanding practical application development in security-typed languages. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 153–164. IEEE (2006)
Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in javascript web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 270–283 (2010)
Jang, D., Jhala, R., Lerner, S., Shacham, H.: Rewriting-based dynamic information flow for javascript. In: 17th ACM Conference on Computer and Communications Security (2010)
Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for javascript. In: Proceedings of the 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9–18 (2011)
King, D., Jha, S., Jaeger, T., Jha, S., Seshia, S.A.: On automatic placement of declassifiers for information-flow security. Technical report, Technical Report NASTR-0083-2007, Network and Security Research Center (2007)
Kumar, N.V.N., Shyamasundar, R.: A complete generative label model for lattice-based access control models. In: Cimatti, A., Sirjani, M. (eds.) SEFM 2017. LNCS, vol. 10469, pp. 35–53. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66197-1_3
Mitropoulos, D., Louridas, P., Salis, V., Spinellis, D.: Time present and time past: analyzing the evolution of javascript code in the wild. In: 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR), pp. 126–137. IEEE (2019)
Moore, S., Askarov, A., Chong, S.: Precise enforcement of progress-sensitive security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 881–893. ACM (2012)
Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control, vol. 31. ACM (1997)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Software Eng. Methodol. 9(4), 410–442 (2000)
Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: java information flow (2001). http://www.cs.cornell.edu/jif
Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS 2007). Citeseer (2007)
Ngo, M., Bielova, N., Flanagan, C., Rezk, T., Russo, A., Schmitz, T.: A better facet of dynamic information flow control. In: Companion Proceedings of the The Web Conference 2018, pp. 731–739 (2018)
Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: 2010 23rd IEEE Computer Security Foundations Symposium, pp. 186–199. IEEE (2010)
Ryan, P., McLean, J., Millen, J., Gligor, V.: Non-interference: who needs it? In: CSFW, p. 0237. IEEE (2001)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas Commun. 21(1), 5–19 (2003)
Sabelfeld, A., Myers, A.C.: A Model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-37621-7_9
Staicu, C.A., Schoepe, D., Balliu, M., Pradel, M., Sabelfeld, A.: An empirical study of information flows in real-world javascript. In: Proceedings of the 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security, pp. 45–59 (2019)
Van Kesteren, A., et al.: Cross-origin resource sharing. W3C Working Draft WD-cors-20100727, latest version available at\(<\) (2010). http://www.w3.org/TR/cors (2010)
Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2–3), 167–187 (1996)
Volpano, D., Smith, G.: Eliminating covert flows with minimum typings. In: Proceedings 10th Computer Security Foundations Workshop, pp. 156–168. IEEE (1997)
Yang, E., Stefan, D., Mitchell, J., Mazières, D., Marchenko, P., Karp, B.: Toward principled browser security. In: 14th Workshop on Hot Topics in Operating Systems (HotOS XIV) (2013)
Zalewski, M.: Browser security handbook. Google Code (2010)
Zdancewic, S.A., Myers, A.: Programming Languages for Information Security. Cornell University (2002)
Zdancewic, S.: A type system for robust declassification. Electron. Notes Theoretical Comput. Sci. 83, 263–277 (2003)
Zdancewic, S., Myers, A.C.: Robust declassification. CSFW. 1, 15–23 (2001)
Zheng, L., Myers, A.C.: Dynamic security labels and static information flow control. Int. J. Inform. Secur. 6(2–3), 67–84 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ghosal, S., Shyamasundar, R.K. (2022). Preventing Privacy-Violating Information Flows in JavaScript Applications Using Dynamic Labelling. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-23690-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23689-1
Online ISBN: 978-3-031-23690-7
eBook Packages: Computer ScienceComputer Science (R0)