Practical Information Flow Control for Web Applications

Research output: Chapter in Book/Report/Conference proceedingConference paperResearch

3 Citations (Scopus)
87 Downloads (Pure)


Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.
Original languageEnglish
Title of host publicationLecture Notes in Computer Science
Subtitle of host publicationProceedings of the 18th International Conference on Runtime Verification
ISBN (Electronic)978-3-030-03769-7
ISBN (Print)978-3-030-03768-0
Publication statusPublished - Nov 2018
Event18th International Conference on Runtime Verification - Limassol, Cyprus
Duration: 11 Nov 201813 Nov 2018
Conference number: 18


Conference18th International Conference on Runtime Verification
Abbreviated titleRV


  • Security
  • JavaScript
  • Web Applications


Dive into the research topics of 'Practical Information Flow Control for Web Applications'. Together they form a unique fingerprint.

Cite this