Information-Flow Tracking for Web Security
Doctoral thesis, 2016

The Web is evolving into a melting pot of content coming from multiple stakeholders. In this mutually distrustful setting, the combination of code and data from different providers demands new security approaches. This thesis explores information-flow control technologies to provide security for the current Web. With focus on practicality grounded in solid theoretical foundations, we aim to fulfill the demands with respect to security, permissiveness, and flexibility. We offer solutions for securing both the server and the client. On the server side, we suggest a taint analysis to track the information provided by the user. If the information reaches a sensitive operation without sanitization, we raise an alarm, mitigating potential exploitations. On the client side, we develop JSFlow, a JavaScript interpreter for tracking information flow in the browser. It covers the full ECMA-262 standard and browser APIs. The interpreter soundly guarantees non-interference, a policy to avoid information leaks to third-parties. A security mechanism is only practical if it is not overly restrictive. This means that it is not enough to reject all insecure programs; an enforcement should also allow the execution of as many secure programs as possible. Permissiveness is key to reduce the number of false alarms and increase the practicality of the mechanism. This thesis pushes the limit towards more permissive sound enforcements in two approaches: a runtime hybrid system and the introduction of the value-sensitivity concept. Finally, we study the trade-offs between security and flexibility. In some situations, non-interference is a too strong property and it can be relaxed depending on the attacker model. The contributions go from foundational results, such as the introduction of value-sensitivity, to practical tools, like JSFlow and a Python taint-analysis library.

lecture hall HC1, Hörsalvägen 14, Chalmers University of Technology
Opponent: Prof. Lujo Bauer

Author

Luciano Bello

Chalmers, Computer Science and Engineering (Chalmers)

Towards a Taint Mode for Cloud Computing Web Application

7th Workshop on Programming Languages and Analysis for Security,; (2012)p. 7:1--7:12-

Paper in proceedings

Value Sensitivity and Observable Abstract Values for Information Flow Control

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),; Vol. 9450(2015)p. 63-78

Paper in proceedings

Value-sensitive Hybrid Information Flow Control for a JavaScript-like Language

28th IEEE Computer Security Foundations Symposium, CSF 2015, Verona, Italy, 13-17 July,; Vol. 2015-September(2015)p. 351-365

Paper in proceedings

JSFlow: Tracking Information Flow in JavaScript and its APIs

Proceedings of the ACM Symposium on Applied Computing (SAC),; (2014)p. 1663-1671

Paper in proceedings

Areas of Advance

Information and Communication Technology

Roots

Basic sciences

Subject Categories

Computer Science

ISBN

978-91-7597-276-3

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 3957

lecture hall HC1, Hörsalvägen 14, Chalmers University of Technology

Opponent: Prof. Lujo Bauer

More information

Created

10/8/2017