Modular Monitor Extensions for Information Flow Security in JavaScript

Abstract : Client-side JavaScript programs often interact with the web page into which they are included, as well as with the browser itself, through APIs such as the DOM API, the XMLHttpRequest API, and the W3C Geolocation API. Precise reasoning about JavaScript security must therefore take API invocation into account. However, the continuous emergence of new APIs, and the het-erogeneity of their forms and features, renders API behavior a moving target that is particularly hard to capture. To tackle this problem, we propose a methodology for modularly extending sound JavaScript information flow monitors with a generic API. Hence, to verify whether an extended monitor complies with the proposed noninterference property requires only to prove that the API satisfies a predefined set of conditions. In order to illustrate the practicality of our methodology, we show how an information flow monitor-inlining compiler can take into account the invocation of arbitrary APIs, without changing the code or the proofs of the original compiler. We provide an implementation of such a compiler with an extension for handling a fragment of the DOM Core Level 1 API. Furthermore, our implementation supports the addition of monitor extensions for new APIs at runtime.
Type de document :
Communication dans un congrès
Trustworthy Global Computing, 2015, Madrid, Spain. 2015
Liste complète des métadonnées

Littérature citée [22 références]  Voir  Masquer  Télécharger
Contributeur : Tamara Rezk <>
Soumis le : lundi 21 décembre 2015 - 15:28:57
Dernière modification le : jeudi 11 janvier 2018 - 16:36:45
Document(s) archivé(s) le : samedi 29 avril 2017 - 23:25:26


Fichiers éditeurs autorisés sur une archive ouverte


Copyright (Tous droits réservés)


  • HAL Id : hal-01247123, version 1



José Fragoso Santos, Tamara Rezk, Ana Almeida Matos. Modular Monitor Extensions for Information Flow Security in JavaScript. Trustworthy Global Computing, 2015, Madrid, Spain. 2015. 〈hal-01247123〉



Consultations de la notice


Téléchargements de fichiers