Information-Flow Tracking for Dynamic Languages

Licentiatavhandling, 2013

This thesis explores information-flow tracking technologies and their applicability on industrial-scale dynamic programming languages. We aim to narrow the gap between the need for flexibility in current dynamic languages and the solid well-studied mechanisms from academia. Instead of translating perfect sound theoretical results into a practical implementation, this thesis focuses on practical problems found in dynamic languages and, from them on, looks for the academic support to tackle them. We investigate the compromise between security and flexibility for protecting confidentiality and integrity. Furthermore, using purely dynamic techniques, we implement our ideas to demonstrate their practicability. On the integrity protection side, a taint mode for Python has been implemented. Thanks to the flexibility of this language, the implementation is shipped as a library, allowing it to be used in Cloud Computing environments. On the confidentiality side, two works are presented which differ in their security property. On one hand, a dynamic dependency analysis is suggested as an alternative to flow-sensitive monitors. By relaxing the ambition of blocking every possible leak, we improve permissiveness, even for programming languages that support dynamic evaluation (such as the eval construct). On the other hand, a full JavaScript monitor was developed to enforce non-interference in the complex scenario of the web. This implementation allows us to explore the scalability boundaries of dynamic information-flow enforcements.