Information Flow Analysis for JavaScript

Authors

Seth Just
Alan Cleary
Brandon Shirley
Christian Hammer

Document Type

Article

Journal/Book Title/Conference

Proceedings of the 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients (PLASTIC '11)

Publication Date

1-1-2011

First Page

9

Last Page

18

Abstract

ModernWeb 2.0 pages combine scripts from several sources into a single client-side JavaScript program with almost no isolation. In order to prevent attacks from an untrusted thirdparty script or cross-site scripting, tracking provenance of data is imperative. However, no browser o ers this security mechanism. This work presents the first information flow control mechanism for full JavaScript. We track information flow dynamically as much as possible but rely on intraprocedural static analysis to capture implicit flow. Our analysis handles even the dreaded eval function soundly and incorporates flow based on JavaScript’s prototype inheritance. We implemented our analysis in a production JavaScript engine and report both qualitative as well as quantitative evaluation results.

Recommended Citation

Just, Seth; Cleary, Alan; Shirley, Brandon; and Hammer, Christian, "Information Flow Analysis for JavaScript" (2011). Space Dynamics Laboratory Publications. Paper 63.
https://digitalcommons.usu.edu/sdl_pubs/63