Abstract
As JavaScript is highly dynamic by nature, static information flow analyses are often too coarse to deal with the dynamic constructs of the language. To cope with this challenge, we present and prove the soundness of a new hybrid typing analysis for securing information flow in a JavaScript-like language. Our analysis combines static and dynamic typing in order to avoid rejecting programs due to imprecise typing information. Program regions that cannot be precisely typed at static time are wrapped inside an internal boundary statement used by the semantics to interleave the execution of statically verified code with the execution of code that must be dynamically checked.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in webkit’s javascript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014)
Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: SP (2010)
Disney, T., Flanagan, C.: Gradual information flow typing. In: STOP (2011)
Fennell, L., Thiemann, P.: Gradual security typing with references. In: CSF (2013)
Flanagan, C.: Hybrid type checking. In: POPL (2006)
De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: CCS (2012)
Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: SAC (2014)
Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: CSF (2012)
Maffeis, S., Taly, A.: Language-based isolation of untrusted JavaScript. In: CSF (2009)
Matthews, J., Findler, R.B.: Operational semantics for multi-language programs. In: ACM TOPLAS (2009)
Microsoft. TypeScript language specification. Technical report, Microsoft (2014)
Rastogi, A., Swamy, N., Fournet, C., Bierman, G., Vekris, P.: Safe & efficient gradual typing for TypeScript. In: POPL (2015)
Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: CSF (2010)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Santos, J.F.: Online materials - hybrid type system 2015. http://www.doc.ic.ac.uk/~jfaustin
Santos, J.F., Rezk, T.: An information flow monitor-inlining compiler for securing a core of javascript. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 278–292. Springer, Heidelberg (2014)
Thiemann, P.: Towards a type system for analyzing javascript programs. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 408–422. Springer, Heidelberg (2005)
Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2), 167–187 (1996)
Wright, A., Felleisen, M.: A syntactic approach to type soundness. Inf. Comput. 115(1), 38–94 (1994)
Acknowledgments
We acknowledge funding from the EPSRC grant reference EP/K032089/1 (Fragoso Santos) and the ANR project AJACS ANR-14-CE28-0008 (Jensen, Rezk, and Schmitt). No new data was collected in the course of this research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Fragoso Santos, J., Jensen, T., Rezk, T., Schmitt, A. (2016). Hybrid Typing of Secure Information Flow in a JavaScript-Like Language. In: Ganty, P., Loreti, M. (eds) Trustworthy Global Computing. TGC 2015. Lecture Notes in Computer Science(), vol 9533. Springer, Cham. https://doi.org/10.1007/978-3-319-28766-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-28766-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28765-2
Online ISBN: 978-3-319-28766-9
eBook Packages: Computer ScienceComputer Science (R0)