Tracking Information Flow in Dynamic Tree Structures

  • Alejandro Russo
  • Andrei Sabelfeld
  • Andrey Chudnov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


This paper explores the problem of tracking information flow in dynamic tree structures. Motivated by the problem of manipulating the Document Object Model (DOM) trees by browser-run client-side scripts, we address the dynamic nature of interactions via tree structures. We present a runtime enforcement mechanism that monitors this interaction and prevents a range of attacks, some of them missed by previous approaches, that exploit the tree structure in order to transfer sensitive information. We formalize our approach for a simple language with DOM-like tree operations and show that the monitor prevents scripts from disclosing secrets.


Security Level Secret Data Security Context Credit Card Number Document Object Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)Google Scholar
  3. 3.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2009)Google Scholar
  4. 4.
    Boudol, G.: Secure information flow as a safety property. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 20–34. Springer, Heidelberg (2009)Google Scholar
  5. 5.
    Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Chandra, D., Franz, M.: Fine-grained information flow analysis and enforcement in a java virtual machine. In: Proc. Annual Computer Security Applications Conference, December 2007, pp. 463–475 (2007)Google Scholar
  7. 7.
    Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: Proc. ACM Symp. on Operating System Principles, October 2007, pp. 31–44 (2007)Google Scholar
  8. 8.
    Chong, S., Vikram, K., Myers, A.C.: Sif: Enforcing confidentiality and integrity in web applications. In: Proc. USENIX Security Symposium, August 2007, pp. 1–16 (2007)Google Scholar
  9. 9.
    Cooper, E., Lindley, S., Wadler, P., Yallop, J.: Links web-programming language. Software release (2006–2008),
  10. 10.
    Crockford, D.: Making javascript safe for advertising. (2009)Google Scholar
  11. 11.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)CrossRefzbMATHGoogle Scholar
  12. 12.
  13. 13.
    Fenton, J.S.: Memoryless subsystems. Computing J. 17(2), 143–147 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Google. Google Chrome (2009),
  15. 15.
    Google. Google Web Toolkit (2009),
  16. 16.
    Heintze, N., Riecke, J.G.: The SLam calculus: programming with secrecy and integrity. In: Proc. ACM Symp. on Principles of Programming Languages, January 1998, pp. 365–377 (1998)Google Scholar
  17. 17.
    Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proc. International Conference on World Wide Web, May 2004, pp. 40–52 (2004)Google Scholar
  18. 18.
    Johns, M.: On JavaScript malware and related threats. Journal in Computer Virology 4(3), 161–178 (2008)CrossRefGoogle Scholar
  19. 19.
    Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: Javascript instrumentation in practice. In: APLAS, pp. 326–341 (2008)Google Scholar
  20. 20.
    Le Guernic, G.: Automaton-based confidentiality monitoring of concurrent programs. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 218–232 (2007)Google Scholar
  21. 21.
    Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.A.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 75–89. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: Proc. ACM SIGPLAN Conference on Programming language Design and Implementation, pp. 193–205 (2008)Google Scholar
  23. 23.
    Miller, M., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (2008)Google Scholar
  24. 24.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release (July 2001-2009),
  25. 25.
    Netscape. Using data tainting for security (2006),
  26. 26.
    Pottier, F., Simonet, V.: Information flow inference for ML. In: Proc. ACM Symp. on Principles of Programming Languages, January 2002, pp. 319–330 (2002)Google Scholar
  27. 27.
    Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in Haskell. In: Proc. ACM SIGPLAN Symposium on Haskell, pp. 13–24. ACM Press, New York (2008)CrossRefGoogle Scholar
  28. 28.
    Russo, A., Sabelfeld, A.: Securing timeout instructions in web applications. In: Proc. IEEE Computer Security Foundations Symposium (July 2009)Google Scholar
  29. 29.
    Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures (2009),
  30. 30.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  31. 31.
    Sabelfeld, A., Russo, A.: From dynamic to static and back: Riding the roller coaster of information-flow control research. In: PSI 2009. LNCS. Springer, Heidelberg (to appear)Google Scholar
  32. 32.
    Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 203–217 (2007)Google Scholar
  33. 33.
    Simonet, V.: The Flow Caml system. Software release (July 2003),
  34. 34.
    Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: Proc. IEEE Symp. on Security and Privacy, May 2008, pp. 369–383 (2008)Google Scholar
  35. 35.
    Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332–351. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  36. 36.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: Proc. Network and Distributed System Security Symposium (February 2007)Google Scholar
  37. 37.
    Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  38. 38.
    Wood, L.: Document Object Model (DOM) Level 1 Specification (1998),
  39. 39.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 237–249. ACM Press, New York (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Alejandro Russo
    • 1
  • Andrei Sabelfeld
    • 1
  • Andrey Chudnov
    • 2
  1. 1.Chalmers University of TechnologySweden
  2. 2.Stevens Institute of TechnologyUSA

Personalised recommendations