Information-Flow Tracking for Web Security
Doktorsavhandling, 2016

The Web is evolving into a melting pot of content coming from multiple stakeholders. In this mutually distrustful setting, the combination of code and data from different providers demands new security approaches. This thesis explores information-flow control technologies to provide security for the current Web. With focus on practicality grounded in solid theoretical foundations, we aim to fulfill the demands with respect to security, permissiveness, and flexibility. We offer solutions for securing both the server and the client. On the server side, we suggest a taint analysis to track the information provided by the user. If the information reaches a sensitive operation without sanitization, we raise an alarm, mitigating potential exploitations. On the client side, we develop JSFlow, a JavaScript interpreter for tracking information flow in the browser. It covers the full ECMA-262 standard and browser APIs. The interpreter soundly guarantees non-interference, a policy to avoid information leaks to third-parties. A security mechanism is only practical if it is not overly restrictive. This means that it is not enough to reject all insecure programs; an enforcement should also allow the execution of as many secure programs as possible. Permissiveness is key to reduce the number of false alarms and increase the practicality of the mechanism. This thesis pushes the limit towards more permissive sound enforcements in two approaches: a runtime hybrid system and the introduction of the value-sensitivity concept. Finally, we study the trade-offs between security and flexibility. In some situations, non-interference is a too strong property and it can be relaxed depending on the attacker model. The contributions go from foundational results, such as the introduction of value-sensitivity, to practical tools, like JSFlow and a Python taint-analysis library.

lecture hall HC1, Hörsalvägen 14, Chalmers University of Technology
Opponent: Prof. Lujo Bauer

Författare

Luciano Bello

Chalmers, Data- och informationsteknik

Towards a Taint Mode for Cloud Computing Web Application

7th Workshop on Programming Languages and Analysis for Security,; (2012)p. 7:1--7:12-

Paper i proceeding

Value Sensitivity and Observable Abstract Values for Information Flow Control

Lecture Notes in Computer Science,; Vol. 9450(2015)p. 63-78

Paper i proceeding

Value-sensitive Hybrid Information Flow Control for a JavaScript-like Language

28th IEEE Computer Security Foundations Symposium, CSF 2015, Verona, Italy, 13-17 July,; Vol. 2015-September(2015)p. 351-365

Paper i proceeding

JSFlow: Tracking Information Flow in JavaScript and its APIs

Proceedings of the ACM Symposium on Applied Computing (SAC),; (2014)p. 1663-1671

Paper i proceeding

Styrkeområden

Informations- och kommunikationsteknik

Fundament

Grundläggande vetenskaper

Ämneskategorier

Datavetenskap (datalogi)

ISBN

978-91-7597-276-3

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 3957

lecture hall HC1, Hörsalvägen 14, Chalmers University of Technology

Opponent: Prof. Lujo Bauer