TY - GEN
T1 - Inlined information flow monitoring for JavaScript
AU - Chudnov, Andrey
AU - Naumann, David A.
PY - 2015/10/12
Y1 - 2015/10/12
N2 - Extant security mechanisms for web apps, notably the\sameorigin policy", are not sufficient to achieve confidentiality and integrity goals for the many apps that manipulate sensitive information. The trend in web apps is \mashups" which integrate JavaScript code from multiple providers in ways that can undercut existing security mechanisms. Researchers are exploring dynamic information flow controls (IFC) for JavaScript, but there are many challenges to achieving strong IFC without excessive performance cost or impractical browser modifications. This paper presents an inlined IFC monitor for ECMAScript 5 with web support, using the no-sensitive-upgrade (NSU) technique, together with experimental evaluation using synthetic mashups and performance benchmarks. On this basis it should be possible to conduct experiments at scale to evaluate feasibility of both NSU and inlined monitoring.
AB - Extant security mechanisms for web apps, notably the\sameorigin policy", are not sufficient to achieve confidentiality and integrity goals for the many apps that manipulate sensitive information. The trend in web apps is \mashups" which integrate JavaScript code from multiple providers in ways that can undercut existing security mechanisms. Researchers are exploring dynamic information flow controls (IFC) for JavaScript, but there are many challenges to achieving strong IFC without excessive performance cost or impractical browser modifications. This paper presents an inlined IFC monitor for ECMAScript 5 with web support, using the no-sensitive-upgrade (NSU) technique, together with experimental evaluation using synthetic mashups and performance benchmarks. On this basis it should be possible to conduct experiments at scale to evaluate feasibility of both NSU and inlined monitoring.
UR - http://www.scopus.com/inward/record.url?scp=84954128505&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84954128505&partnerID=8YFLogxK
U2 - 10.1145/2810103.2813684
DO - 10.1145/2810103.2813684
M3 - Conference contribution
AN - SCOPUS:84954128505
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 629
EP - 643
BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Y2 - 12 October 2015 through 16 October 2015
ER -