Inlined information flow monitoring for JavaScript

Andrey Chudnov, David A. Naumann

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

42 Scopus citations

Abstract

Extant security mechanisms for web apps, notably the\sameorigin policy", are not sufficient to achieve confidentiality and integrity goals for the many apps that manipulate sensitive information. The trend in web apps is \mashups" which integrate JavaScript code from multiple providers in ways that can undercut existing security mechanisms. Researchers are exploring dynamic information flow controls (IFC) for JavaScript, but there are many challenges to achieving strong IFC without excessive performance cost or impractical browser modifications. This paper presents an inlined IFC monitor for ECMAScript 5 with web support, using the no-sensitive-upgrade (NSU) technique, together with experimental evaluation using synthetic mashups and performance benchmarks. On this basis it should be possible to conduct experiments at scale to evaluate feasibility of both NSU and inlined monitoring.

Original languageEnglish
Title of host publicationCCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
Pages629-643
Number of pages15
ISBN (Electronic)9781450338325
DOIs
StatePublished - 12 Oct 2015
Event22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States
Duration: 12 Oct 201516 Oct 2015

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume2015-October
ISSN (Print)1543-7221

Conference

Conference22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Country/TerritoryUnited States
CityDenver
Period12/10/1516/10/15

Fingerprint

Dive into the research topics of 'Inlined information flow monitoring for JavaScript'. Together they form a unique fingerprint.

Cite this