Skip to Main content Skip to Navigation

Enforcing secure information flow in client-side Web applications

José Fragoso Femenin dos Santos 1
1 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : In this thesis, we address the issue of enforcing confidentiality and integrity policies in the context of client-side Web applications. Since most Web applications are developed in the JavaScript programming language, we study static, dynamic, and hybrid enforcement mechanisms for securing information flow in Core JavaScript --- a fragment of JavaScript that retains its defining features. Specifically, we propose: a monitored semantics for dynamically enforcing secure information flow in Core JavaScript as well as a source-to-source transformation that inlines the proposed monitor, a type system that statically checks whether or not a program abides by a given information flow policy, and a hybrid type system that combines static and dynamic analyses in order to accept more secure programs than its fully static counterpart. Most JavaScript programs are designed to be executed in a browser in the context of a Web page. These programs often interact with the Web page in which they are included via a large number of external APIs provided by the browser. The execution of these APIs usually takes place outside the perimeter of the language. Hence, any realistic analysis of client-side JavaScript must take into account possible interactions with external APIs. To this end, we present a general methodology for extending security monitors to take into account the possible invocation of arbitrary APIs and we apply this methodology to a representative fragment of the DOM Core Level 1 API that captures DOM-specific information flows.
Complete list of metadatas

Cited literature [49 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Tuesday, March 24, 2015 - 3:32:05 PM
Last modification on : Thursday, March 5, 2020 - 5:34:49 PM
Document(s) archivé(s) le : Thursday, July 2, 2015 - 6:42:34 AM


Version validated by the jury (STAR)


  • HAL Id : tel-01135001, version 1



José Fragoso Femenin dos Santos. Enforcing secure information flow in client-side Web applications. Other [cs.OH]. Université Nice Sophia Antipolis, 2014. English. ⟨NNT : 2014NICE4148⟩. ⟨tel-01135001⟩



Record views


Files downloads