Enforcing secure information flow in client-side Web applications

José Fragoso Femenin dos Santos 1
1 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : In this thesis, we address the issue of enforcing confidentiality and integrity policies in the context of client-side Web applications. Since most Web applications are developed in the JavaScript programming language, we study static, dynamic, and hybrid enforcement mechanisms for securing information flow in Core JavaScript --- a fragment of JavaScript that retains its defining features. Specifically, we propose: a monitored semantics for dynamically enforcing secure information flow in Core JavaScript as well as a source-to-source transformation that inlines the proposed monitor, a type system that statically checks whether or not a program abides by a given information flow policy, and a hybrid type system that combines static and dynamic analyses in order to accept more secure programs than its fully static counterpart. Most JavaScript programs are designed to be executed in a browser in the context of a Web page. These programs often interact with the Web page in which they are included via a large number of external APIs provided by the browser. The execution of these APIs usually takes place outside the perimeter of the language. Hence, any realistic analysis of client-side JavaScript must take into account possible interactions with external APIs. To this end, we present a general methodology for extending security monitors to take into account the possible invocation of arbitrary APIs and we apply this methodology to a representative fragment of the DOM Core Level 1 API that captures DOM-specific information flows.
Document type :
Theses
Liste complète des métadonnées

Cited literature [49 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-01135001
Contributor : Abes Star <>
Submitted on : Tuesday, March 24, 2015 - 3:32:05 PM
Last modification on : Thursday, January 11, 2018 - 4:45:51 PM
Document(s) archivé(s) le : Thursday, July 2, 2015 - 6:42:34 AM

File

2014NICE4148.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01135001, version 1

Collections

Citation

José Fragoso Femenin dos Santos. Enforcing secure information flow in client-side Web applications. Other [cs.OH]. Université Nice Sophia Antipolis, 2014. English. ⟨NNT : 2014NICE4148⟩. ⟨tel-01135001⟩

Share

Metrics

Record views

346

Files downloads

421