Campus Event Calendar

Event Entry

What and Who

Information flow control for javascript in web browsers

Vineet Rajani
Max Planck Institute for Software Systems
SWS Student Defense Talks - Qualifying Exam
Expert Audience

Date, Time and Location

Monday, 16 June 2014
60 Minutes
E1 5


Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this talk, I will present a new approach for IFC, its formalization and its empirical results. Our IFC mechanism works at the level of JavaScript bytecode and hence leverages years of industrial effort on optimizing both the source to bytecode compiler and the bytecode interpreter. We track both explicit and implicit flows and observe only moderate overhead. Working with bytecode results in new challenges including the extensive use of unstructured control flow in bytecode (which complicates lowering of program context taints), unstructured exceptions (which complicate the matter further) and the need to make IFC analysis permissive. In the talk I will explain how we  address these challenges, formally model the JavaScript bytecode semantics and our instrumentation, prove the standard property of termination- insensitive non-interference, and present experimental results on an optimized prototype. 


--email hidden
passcode not visible
logged in users only

Maria-Louise Albrecht, 06/16/2014 16:11 -- Created document.