Guarding the Boundary: Information Flow Tracking in the Presence of Libraries
Licentiate thesis, 2018
Libraries pose a big security challenge.
How can we ensure that sensitive data is not being leaked through libraries?
This is the first question of the thesis.
We propose the use of information-flow control, by developing a principled
approach for allowing information-flow tracking in libraries, even if they are
written in a language not supporting information-flow control.
With this approach, we allow for library functions to have unlabel
and relabel models, explaining how values are unlabeled and relabeled
when being marshaled between the labeled program and the library.
These models are used in combination with lazy marshaling to handle
structured data such as lists and records, higher-order functions and references.
Modern browsers allow for browser modifications through
browser extensions, which have special privileges and
can, e.g., modify the DOM.
As extensions can be intrusive, it is in a webpage's interest to know which
extensions are installed in a browser.
The second question of the thesis is if it is possible for a webpage to
know which extensions are installed in the browser?
We conduct a large-scale study to determine how many extensions that are
detectable from a webpage based on the extension's resources, showing over 50%
of the top 1000 Chrome extensions can be detected, as well as how many of the
Alexa top 100,000 webpages employ the technique of the paper.
Chalmers, Computer Science and Engineering (Chalmers), Information Security
A Principled Approach to Tracking Information Flow in the Presence of Libraries
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),; Vol. 10204(2017)p. 49-70
Paper in proceedings
Alexander Sjösten, Daniel Hedin, Andrei Sabelfeld. Information Flow Tracking for Side-effectful Libraries
Discovering Browser Extensions via Web Accessible Resources
CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Applications Security and Privacy,; (2017)p. 329-336
Paper in proceedings
Other Computer and Information Science
Areas of Advance
Information and Communication Technology
Technical report L - School of Electrical and Computer Engineering, Chalmers University of Technology. : 175
Chalmers University of Technology
EA, ED&IT building, Hörsalsvägen 11, Chalmers.
Opponent: Dr. Toby Murray, Computing and Information Systems, University of Melbourne, Australia