Information Flow Control for JavaScript

This project is partially funded by a DFG grant as part of the Priority Programme 1496 "Reliably Secure Software Systems – RS3". The grant was awarded together with Deepak Garg of MPI-SWS.

In our paper "Information Flow Control for Event Handling and the DOM in Web Browsers" (to be presented at the 28th IEEE Computer Security Foundations Symposium CSF'15) we extended information flow label tracking to the remaining major components of the Browser besides the JavaScript engine. Thus we can now track the information flow through realistic web pages and started evaluating our approach on security policies.
This paper was awarded the 2014/2015 Best Paper Award of the DFG priority programme Reliably Secure Software Systems (RS3).

Our paper "Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis" was presented at the 9th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS'14) and the Joint Workshop on Foundations of Computer Security and Formal and Computational Cryptography (FCS-FCC'14)

We formalized the bytecode of WebKit's JavaScript engine and proved noninterference for our hybrid static and dynamic enforcement mechanism. The results were presented at POST'14. An extended version that contains some more evaluation results as well as the proofs is available here.

As part of the initial study we developed the first information flow control algorithm for full JavaScript including the dreaded eval function. It dynamically tracks information flow but captures implicit flow with local static analysis.