UC Santa Cruz

JavaScript has become a central technology of the web, but it is also the source of many security problems, including cross-site scripting attacks and malicious advertising code. Central to these problems is the fact that code from untrusted sources runs with the same privileges as trusted code in the same frame.

While much work has been done to secure JavaScript in a somewhat piecemeal approach, information flow analysis presents a compelling option for providing a more systemic solution to the problem. By tracking the flow of sensitive information in the browser, we can prevent it from leaking out to untrusted sources. Formally, information flow analysis can provide non-interference, the guarantee that public outputs do not depend on private inputs.

Previous information flow techniques have primarily relied on static type systems. While effective, they are an awkward fit for dynamically typed JavaScript code. This dissertation explores three different runtime enforcement mechanisms that can guarantee non-interference dynamically.

The no-sensitive-upgrade check forbids updating public reference cells in a private context through the use of a runtime monitor. This approach can be done with minimal performance overhead by using a sparse-labeling strategy, which leaves security labels on data implicit whenever possible. Experimental results demonstrate the efficiency of this approach.

While the no-sensitive-upgrade check is effective, it sometimes rejects valid program executions that do not violate the security property. The permissive upgrade strategy is a refinement of this approach that still guarantees non-interference, but which accepts strictly more executions. When a public reference cell is updated in a private context, the permissive upgrade strategy marks the data as partially leaked rather than terminating execution. Partially leaked data is carefully tracked to avoid leaking private information.

The final approach introduces special faceted values, which capture multiple views for a single object. Faceted values simulate multiple executions for different security levels, giving the following benefits:

* Faceted values do not rely on the stuck executions of the no-sensitive-upgrade and permissive upgrade approaches, and therefore accept strictly more programs than either of the monitor-based approaches.

* Faceted values avoid redundant computations, improving efficiency over related approaches.

Finally we implement faceted values in Firefox and show how they may be used to prevent a variety of attacks.