mdh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Information-flow security for JavaScript and its APIs
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Department of Computer Science and Engineering, Chalmers University of Technology, Rännvägen 6B, Gothenburg, Sweden.ORCID iD: 0000-0002-6621-8390
Department of Computer Science and Engineering, Chalmers University of Technology, Rännvägen 6B, Gothenburg, Sweden.
Department of Computer Science and Engineering, Chalmers University of Technology, Rännvägen 6B, Gothenburg, Sweden.
2016 (English)In: Journal of Computer Security, ISSN 0926-227X, E-ISSN 1875-8924, Vol. 24, no 2, 181-234 p.Article in journal (Refereed) Published
Resource type
Text
Abstract [en]

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

Place, publisher, year, edition, pages
2016. Vol. 24, no 2, 181-234 p.
Keyword [en]
information flow, JavaScript, noninterference, reference monitoring, Web application security, Codes (symbols), Computational linguistics, Dynamics, High level languages, Java programming language, Security of data, Websites, World Wide Web, XML, Higher order functions, In-depth understanding, Information flow security, Information flows, Information manipulation, Network security
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:mdh:diva-31584DOI: 10.3233/JCS-160544ISI: 000374759200002Scopus ID: 2-s2.0-84965075936OAI: oai:DiVA.org:mdh-31584DiVA: diva2:927872
Available from: 2016-05-13 Created: 2016-05-13 Last updated: 2017-11-30Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Authority records BETA

Hedin, Daniel

Search in DiVA

By author/editor
Hedin, Daniel
By organisation
Embedded Systems
In the same journal
Journal of Computer Security
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 24 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf