Standard

Practical Information Flow Control for Web Applications. / Scull Pupo, Angel Luis; Christophe, Laurent; Nicolay, Jens; De Roover, Coen; Gonzalez Boix, Elisa.

Lecture Notes in Computer Science : Proceedings of the 18th International Conference on Runtime Verification. Vol. 11237 Springer, 2018. p. 372-388.

Research output: Chapter in Book/Report/Conference proceedingConference paperResearch

Harvard

Scull Pupo, AL, Christophe, L, Nicolay, J, De Roover, C & Gonzalez Boix, E 2018, Practical Information Flow Control for Web Applications. in Lecture Notes in Computer Science : Proceedings of the 18th International Conference on Runtime Verification. vol. 11237, Springer, pp. 372-388, 18th International Conference on Runtime Verification, Limassol, Cyprus, 11/11/18.

APA

Scull Pupo, A. L., Christophe, L., Nicolay, J., De Roover, C., & Gonzalez Boix, E. (2018). Practical Information Flow Control for Web Applications. In Lecture Notes in Computer Science : Proceedings of the 18th International Conference on Runtime Verification (Vol. 11237, pp. 372-388). Springer.

Vancouver

Scull Pupo AL, Christophe L, Nicolay J, De Roover C, Gonzalez Boix E. Practical Information Flow Control for Web Applications. In Lecture Notes in Computer Science : Proceedings of the 18th International Conference on Runtime Verification. Vol. 11237. Springer. 2018. p. 372-388

Author

Scull Pupo, Angel Luis ; Christophe, Laurent ; Nicolay, Jens ; De Roover, Coen ; Gonzalez Boix, Elisa. / Practical Information Flow Control for Web Applications. Lecture Notes in Computer Science : Proceedings of the 18th International Conference on Runtime Verification. Vol. 11237 Springer, 2018. pp. 372-388

BibTeX

@inproceedings{77c9c152afdf439588029bfde883cb0d,
title = "Practical Information Flow Control for Web Applications",
abstract = "Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.",
keywords = "Security, JavaScript, Web Applications",
author = "{Scull Pupo}, {Angel Luis} and Laurent Christophe and Jens Nicolay and {De Roover}, Coen and {Gonzalez Boix}, Elisa",
year = "2018",
month = "11",
language = "English",
isbn = "978-3-030-03768-0",
volume = "11237",
pages = "372--388",
booktitle = "Lecture Notes in Computer Science",
publisher = "Springer",

}

RIS

TY - GEN

T1 - Practical Information Flow Control for Web Applications

AU - Scull Pupo, Angel Luis

AU - Christophe, Laurent

AU - Nicolay, Jens

AU - De Roover, Coen

AU - Gonzalez Boix, Elisa

PY - 2018/11

Y1 - 2018/11

N2 - Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.

AB - Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.

KW - Security

KW - JavaScript

KW - Web Applications

M3 - Conference paper

SN - 978-3-030-03768-0

VL - 11237

SP - 372

EP - 388

BT - Lecture Notes in Computer Science

PB - Springer

ER -

ID: 39486523