Virtual Values for Taint and Information Flow Analysis
Security controls such as taint analysis and information flow analysis can be powerful tools to protect against many common attacks. However, incorporating these controls into a language such as JavaScript is challenging. Native implementations require the support of all JavaScript VMs. Code rewriting requires developers to reason about the entire abstract syntax of JavaScript.
In this paper, we demonstrate how virtual values may be used to more easily integrate these security controls. Virtual values provide hooks to alter the behavior of primitive operations, allowing programmers to create the desired security controls in a more declarative fashion, facilitating more rapid prototyping.
We demonstrate how virtual values may be encoded in JavaScript using a combination of JavaScript object proxies and the Sweet.js macro library, and use that implementation to build taint and information flow controls into JavaScript. Finally, we show some benchmark results to demonstrate the overhead of this approach.
| Paper (meta16-final1.pdf) | 181KiB |
Sun 30 OctDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
13:30 - 15:10 | |||
13:30 30mTalk | Declaratively Specifying Security Policies For Web Applications META Angel Luis Scull Pupo Sofware Languages Lab, Vrije Universiteit Brussel, Jens Nicolay Vrije Universiteit Brussel, Belgium, Elisa Gonzalez Boix Vrije Universiteit Brussel Media Attached File Attached | ||
14:00 30mTalk | Virtual Values for Taint and Information Flow Analysis META Prakasam Kannan San Jose State University, Thomas H. Austin , Mark Stamp San Jose State University, Tim Disney , Cormac Flanagan University of California, Santa Cruz Media Attached File Attached | ||
14:30 30mTalk | Capability Safe Reflection for the Wyvern Language META Media Attached File Attached | ||