Staged information flow for javascript
作者: Ravi Chugh , Jeffrey A. Meister , Ranjit Jhala , Sorin Lerner
关键词:
摘要: Modern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm such is to include third-party JavaScript code the form of libraries or advertisements. If this were malicious, it could read sensitive information from page write location bar, thus redirecting user malicious page, which entire machine be compromised. We present an information-flow based approach for inferring effects piece has on website order ensure key security properties not violated. To handle dynamically loaded and generated we propose framework staging flow properties. Our propagates through currently known compute minimal set syntactic residual checks performed remaining when loaded. have implemented prototype flow. describe our techniques handling some difficult features evaluate system's performance variety large real-world websites. experiments show static feasible efficient technique allows enforcement policies with almost no run-time overhead.
acm.org
core.ac.uk
uchicago.edu 
sci-hub.se 参考文章(33)
Panayiotis Mavrommatis, Niels Provos, Dean McNamee, Nagendra Modadugu, Ke Wang, The ghost in the browser analysis of web-based malware conference on workshop on hot topics in understanding botnets. pp. 4- 4 ,(2007)
Silas Boyd-Wickizer, David Mazières, Nickolai Zeldovich, Securing distributed systems with information flow control networked systems design and implementation. pp. 293- 308 ,(2008)
Tal Garfinkel, Mendel Rosenblum, Kevin Christopher, Ben Pfaff, Jim Chow, Understanding data lifetime via whole system simulation usenix security symposium. pp. 22- 22 ,(2004)
Manuel Fahndrich, Alexander Aiken, Jeffrey Foster, Jason Cu, Tracking down Exceptions in Standard ML Programs University of California at Berkeley. ,(1998)
John Kodumal, Alex Aiken, Banshee: A Scalable Constraint-Based Analysis Toolkit Static Analysis. pp. 218- 234 ,(2005) , 10.1007/11547662_16
Andrew C. Myers, Programming with Explicit Security Policies Programming Languages and Systems. pp. 1- 4 ,(2005) , 10.1007/978-3-540-31987-0_1
David Wagner, Kunal Talwar, Jeffrey S. Foster, Umesh Shankar, Detecting format string vulnerabilities with type qualifiers usenix security symposium. pp. 16- 16 ,(2001)
Manuel Fähndrich, Alexander Aiken, Program Analysis Using Mixed Term and Set Constraints static analysis symposium. ,vol. 1302, pp. 114- 126 ,(1997) , 10.1007/BFB0032737
Torben Amtoft, Anindya Banerjee, Information Flow Analysis in Logical Form Static Analysis. pp. 100- 115 ,(2004) , 10.1007/978-3-540-27864-1_10
Jeffrey S. Foster, Manuel Fähndrich, Alexander Aiken, A theory of type qualifiers Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation - PLDI '99. ,vol. 34, pp. 192- 203 ,(1999) , 10.1145/301618.301665