Information Flow Control for Web Scripts
نویسندگان
چکیده
Modern web applications heavily rely on JavaScript code executing in the browser. These web scripts are useful for instance for improving the interactivity and responsiveness of web applications, and for gathering web analytics data. However, the execution of server-provided code in the browser also brings substantial security and privacy risks. Web scripts can access a fair amount of sensitive information, and can leak this information to anyone on the Internet. This tutorial paper discusses information flow control mechanisms for countering these threats. We formalize both a static, type-system based and a dynamic, multiexecution based enforcement mechanism, and show by means of examples how these mechanisms can enforce the security of information flows in web scripts.
منابع مشابه
Transparent Privacy Control via Static Information Flow Analysis
A common problem faced by modern mobile-device platforms is that thirdparty applications in the marketplace may leak private information without notifying users. Existing approaches adopted by these platforms provide little information on what applications will do with the private information, failing to effectively assist users in deciding whether to install applications and in controlling the...
متن کاملSecure multi-execution of web scripts: Theory and practice
Secure Multi-Execution (SME) is a precise and general information flow control mechanism that was claimed to be a good fit for implementing information flow security in browsers. We validate this claim by developing FlowFox, the first fully functional web browser that implements an information flow control mechanism for web scripts based on the technique of secure multi-execution. We provide ev...
متن کاملWebPol: Fine-Grained Information Flow Policies for Web Browsers
In the standard web browser programming model, thirdparty scripts included in an application execute with the same privilege as the application’s own code. This leaves the application’s confidential data vulnerable to theft and leakage by malicious code and inadvertent bugs in the third-party scripts. Security mechanisms in modern browsers (the same-origin policy, cross-origin resource sharing ...
متن کاملPerceiving the GUISE: Graphical User Interface Specification Extraction
We present a dynamic control-flow analysis and state classifier for graphical user interfaces. Search engines, end-user programming interfaces, and automated testers exploit such information, but are challenged by clientside and serverside scripts obscuring it: our analysis succeeds on popular web applications that contain both. We further motivate such analyses. First, we introduce a new type ...
متن کاملProtecting Private Web Content from Embedded Scripts
Many web pages display personal information provided by users. The goal of this work is to protect that content from untrusted scripts that are embedded in host pages. We present a browser modification that provides fine-grained control over what parts of a document are visible to different scripts, and executes untrusted scripts in isolated environments where private information is not accessi...
متن کامل