Information flow analysis for javascript | Zendy

Seth Just | Zendy; Alan Cleary | Zendy; Brandon Shirley | Zendy; Christian Hammer | Zendy

AI Assistant Blog Pricing

Home ZAIA Blog

Open Access

Information flow analysis for javascript

Author(s) -

Seth Just,

Alan Cleary,

Brandon Shirley,

Christian Hammer

Publication year - 2011

Publication title -

digital commons - usu (utah state university)

Language(s) - English

Resource type - Conference proceedings

DOI - 10.1145/2093328.2093331

Subject(s) - javascript , computer science , unobtrusive javascript , scripting language , static analysis , inheritance (genetic algorithm) , programming language , client side scripting , web application , world wide web , web page , operating system , database , rich internet application , web development , static web page , biochemistry , chemistry , gene

Modern Web 2.0 pages combine scripts from several sources into a single client-side JavaScript program with almost no isolation. In order to prevent attacks from an untrusted third-party script or cross-site scripting, tracking provenance of data is imperative. However, no browser offers this security mechanism. This work presents the first information flow control mechanism for full JavaScript. We track information flow dynamically as much as possible but rely on intra-procedural static analysis to capture implicit flow. Our analysis handles even the dreaded eval function soundly and incorporates flow based on JavaScript's prototype inheritance. We implemented our analysis in a production JavaScript engine and report both qualitative as well as quantitative evaluation results.

The content you want is available to Zendy users.

Already have an account? Click here to sign in.

Having issues? You can contact us here

Accelerating Research