Hybrid Typing of Secure Information Flow in a JavaScript-Like Language
نویسندگان
چکیده
As JavaScript is highly dynamic by nature, static information flow analyses are often too coarse to deal with the dynamic constructs of the language. To cope with this challenge, we present and prove the soundness of a new hybrid typing analysis for securing information flow in a JavaScript-like language. Our analysis combines static and dynamic typing in order to avoid rejecting programs due to imprecise typing information. Program regions that cannot be precisely typed at static time are wrapped inside an internal boundary statement used by the semantics to interleave the execution of statically verified code with the execution of code that must be dynamically checked.
منابع مشابه
Enforcing secure information flow in client-side Web applications. (Vers l'établissement du flux d'information sûr dans les applications Web côté client)
During the last decade, Web applications have evolved from static pages presented by Web servers which centralised all computations to multi-tier applications in which computations are shared between the client and the server. In addition to this, current client-side Web applications often combine code dynamically loaded from different origins to create new functionalities. As it happens, this ...
متن کاملSecure Information Flow and Pointer Confinement in a Java-like Language
We consider a sequential object-oriented language with pointers and mutable state, private fields and classbased visibility, dynamic binding and inheritance, recursive classes, casts and type tests, and recursive methods. Programs are annotated with security levels, constrained by security typing rules. A noninterference theorem shows how the rules ensure pointer confinement and secure informat...
متن کاملSecure Web Applications via Automatic Partitioning
Swift is a new, principled approach to building web applications that are secure by construction. In modern web applications, some application functionality is usually implemented as client-side code written in JavaScript. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so. Swift automatically p...
متن کاملInformation Flow Control with Errors
Information Flow Control is concerned with the correct handling of data with respect to a security policy. A common enforcement technique is annotated type systems. For object-oriented languages, type systems have been developed for class-based languages. The reason for this is that in a class-based language, it is simpler to design a type system that ensures well-typed programs do not result i...
متن کاملFission: Secure Dynamic Code-Splitting for JavaScript
Traditional web programming involves the creation of two distinct programs: a client-side frontend, a server-side back-end, and a lot of communications boilerplate. An alternative approach is to use a tierless programming model, where a single program describes the behavior of both the client and the server, and the runtime system takes care of communication. Unfortunately, this usually entails...
متن کامل