Modular Monitor Extensions for Information Flow Security in JavaScript
作者: José Fragoso Santos , Tamara Rezk , Ana Almeida Matos
DOI: 10.1007/978-3-319-28766-9_4
关键词:
摘要: Client-side JavaScript programs often interact with the web page into which they are included, as well browser itself, through APIs such DOM API, XMLHttpRequest and W3C Geolocation API. Precise reasoning about security must therefore take API invocation account. However, continuous emergence of new APIs, heterogeneity their forms features, renders behavior a moving target that is particularly hard to capture. To tackle this problem, we propose methodology for modularly extending sound information flow monitors generic Hence, verify whether an extended monitor complies proposed noninterference property requires only prove satisfies predefined set conditions. In order illustrate practicality our methodology, show how monitor-inlining compiler can account arbitrary without changing code or proofs original compiler. We provide implementation extension handling fragment Core Level 1 Furthermore, supports addition extensions at runtime.
springer.com
archives-ouvertes.fr
sci-hub.st 参考文章(21)
Robert Richards, Document Object Model (DOM) Pro PHP XML and Web Services. pp. 181- 238 ,(2006) , 10.1007/978-1-4302-0139-7_6
Ana Almeida-Matos, José Fragoso Santos, Tamara Rezk, An Information Flow Monitor for a Core of DOM trustworthy global computing. pp. 1- 16 ,(2014) , 10.1007/978-3-662-45917-1_1
José Fragoso Santos, Tamara Rezk, An Information Flow Monitor-Inlining Compiler for Securing a Core of JavaScript ICT Systems Security and Privacy Protection. pp. 278- 292 ,(2014) , 10.1007/978-3-642-55415-5_23
Gurvan Le Guernic, Information Flow Testing Annual Asian Computing Science Conference. ,vol. 4846, pp. 33- 47 ,(2007) , 10.1007/978-3-540-76929-3_4
Vineet Rajani, Abhishek Bichhawat, Deepak Garg, Christian Hammer, Information Flow Control for Event Handling and the DOM in Web Browsers 2015 IEEE 28th Computer Security Foundations Symposium. pp. 366- 379 ,(2015) , 10.1109/CSF.2015.32
Alejandro Russo, Andrei Sabelfeld, Andrey Chudnov, Tracking information flow in dynamic tree structures european symposium on research in computer security. pp. 86- 103 ,(2009) , 10.1007/978-3-642-04444-1_6
Gurvan Le Guernic, David Schmidt, Anindya Banerjee, Confidentiality enforcement using dynamic information flow analyses Kansas State University. ,(2007)
Thomas H. Austin, Cormac Flanagan, Permissive dynamic information flow analysis acm workshop on programming languages and analysis for security. pp. 3- ,(2010) , 10.1145/1814217.1814220
Thomas H. Austin, Cormac Flanagan, Efficient purely-dynamic information flow analysis Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security - PLAS '09. pp. 113- 124 ,(2009) , 10.1145/1554339.1554353
Andrey Chudnov, David A. Naumann, Information Flow Monitor Inlining ieee computer security foundations symposium. pp. 200- 214 ,(2010) , 10.1109/CSF.2010.21