Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation 2009
DOI: 10.1145/1542476.1542483
|View full text |Cite
|
Sign up to set email alerts
|

Staged information flow for javascript

Abstract: Modern websites are powered by JavaScript, a flexible dynamic scripting language that executes in client browsers. A common paradigm in such websites is to include third-party JavaScript code in the form of libraries or advertisements. If this code were malicious, it could read sensitive information from the page or write to the location bar, thus redirecting the user to a malicious page, from which the entire machine could be compromised. We present an information-flow based approach for inferring the effects… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
4
1

Citation Types

0
36
0

Year Published

2011
2011
2022
2022

Publication Types

Select...
5
2
2

Relationship

0
9

Authors

Journals

citations
Cited by 160 publications
(36 citation statements)
references
References 29 publications
0
36
0
Order By: Relevance
“…To mitigate this threat we constructed tests in a way that increases the sensitive branch coverage. However, multiple paths [27] hybrid ✓ ✓ -Chugh et al [15] hybrid ✓ ✓ ✓ Tripp et al [47] hybrid ✓ --Chudnov & Naumann [14] dynamic ✓ ✓ NSU Hedin et al [25] dynamic ✓ ✓ NSU Bichhawat et al [11] dynamic ✓ ✓ PU Kerschbaumer et al [31] dynamic ✓ ✓ -Bauer et al [9] dynamic ✓ --De Groef et al [17] dynamic MOD MOD MOD Austin & Flanagan [6] dynamic MOD MOD MOD cannot be covered due to a variety of reasons, e.g., error cases that cannot be easily triggered or unfeasible execution paths. Despite these limitations, our study produces interesting insights about the kinds of flows that appear in real-world JavaScript programs and the cost-benefit tradeoff of information flow analysis.…”
Section: Threats To Validitymentioning
confidence: 99%
See 1 more Smart Citation
“…To mitigate this threat we constructed tests in a way that increases the sensitive branch coverage. However, multiple paths [27] hybrid ✓ ✓ -Chugh et al [15] hybrid ✓ ✓ ✓ Tripp et al [47] hybrid ✓ --Chudnov & Naumann [14] dynamic ✓ ✓ NSU Hedin et al [25] dynamic ✓ ✓ NSU Bichhawat et al [11] dynamic ✓ ✓ PU Kerschbaumer et al [31] dynamic ✓ ✓ -Bauer et al [9] dynamic ✓ --De Groef et al [17] dynamic MOD MOD MOD Austin & Flanagan [6] dynamic MOD MOD MOD cannot be covered due to a variety of reasons, e.g., error cases that cannot be easily triggered or unfeasible execution paths. Despite these limitations, our study produces interesting insights about the kinds of flows that appear in real-world JavaScript programs and the cost-benefit tradeoff of information flow analysis.…”
Section: Threats To Validitymentioning
confidence: 99%
“…Among the analyses that consider implicit flows, the majority stop or modify the program as soon as a hidden flow occurs. Information Flow Analysis for JavaScript Chugh et al propose a static-dynamic analysis that reports flows from code given to eval() to sensitive locations, such as the location bar of a site [15]. Austin and Flanagan address the problem of hidden implicit flows [4,5], as discussed in detail in Section 2.…”
Section: Related Workmentioning
confidence: 99%
“…Chugh et al's staged program analysis [6] performs static analysis on as much code as is possible at compile time, and then computes a set of remaining checks to be performed at run time. Hummingbird uses a related idea in which no static analysis is performed at compile time, but type checking is always done when methods are called.…”
Section: Related Workmentioning
confidence: 99%
“…For example, Maffeis and coworkers [MMT09] achieve isolation properties between mashed-up scripts using filters, rewriting, and wrapping. Chugh and coworkers [CMJL09] present (among others) a dynamic information flow analysis based on wholesale rewriting. Yu and coworkers [YCIS07] perform rewriting guided by a security policy.…”
Section: Related Workmentioning
confidence: 99%