IFC Inside: Retrofitting Languages with Dynamic Information Flow Control
Paper in proceedings, 2015

Many important security problems in JavaScript, such as browser extension security, untrusted JavaScript libraries and safe integration of mutually distrustful websites (mash-ups), may be effectively addressed using an efficient implementation of information flow control (IFC). Unfortunately existing fine-grained approaches to JavaScript IFC require modifications to the language semantics and its engine, a non-goal for browser applications. In this work, we take the ideas of coarse-grained dynamic IFC and provide the theoretical foundation for a language-based approach that can be applied to any programming language for which external effects can be controlled. We then apply this formalism to server and client-side JavaScript, show how it generalizes to the C programming language, and connect it to the Haskell LIO system. Our methodology offers design principles for the construction of information flow control systems when isolation can easily be achieved, as well as compositional proofs for optimized concrete implementations of these systems, by relating them to their isolated variants.

Non-interference

JavaScript

security

Author

Heule Stefan

Stanford University

Deian Stefan

Stanford University

Edward Z. Yang

Stanford University

Alejandro Russo

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

John C. Mitchell

Chalmers University of Technology

Lecture Notes in Computer Science

0302-9743 (ISSN)

11-31

Areas of Advance

Information and Communication Technology

Subject Categories

Computer Science

DOI

10.1007/978-3-662-46666-7_2

ISBN

9783662466650