Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.
Original languageEnglish
Title of host publicationLecture Notes in Computer Science
Subtitle of host publicationProceedings of the 18th International Conference on Runtime Verification
PublisherSpringer
Volume11237
ISBN (Electronic)978-3-030-03769-7
ISBN (Print)978-3-030-03768-0
Publication statusAccepted/In press - Nov 2018
Event18th International Conference on Runtime Verification - Limassol, Cyprus
Duration: 11 Nov 201813 Nov 2018
Conference number: 18

Conference

Conference18th International Conference on Runtime Verification
Abbreviated titleRV
CountryCyprus
CityLimassol
Period11/11/1813/11/18

    Research areas

  • Security, JavaScript, Web Applications

ID: 39486523