Projects per year
Abstract
Current browser-level security solutions do not provide a mechanism for information flow control (IFC) policies. As such, they need to be combined with language-based security approaches. Practical implementations for ICF enforcement remains a challenge when the full spectrum of web applications features is taken into account (i.e. JavaScript features, web APIs, DOM, portability, performance, etc.). In this work we develop Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in web applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information. We validate Gifc by means of a benchmark suite from literature specifically designed for information flow verification, which we also extend. We compare Gifc qualitatively with respect to closest related work and show that Gifc performs better at detecting unwanted implicit flows.
Original language | English |
---|---|
Title of host publication | Lecture Notes in Computer Science |
Subtitle of host publication | Proceedings of the 18th International Conference on Runtime Verification |
Publisher | Springer |
Pages | 372-388 |
Volume | 11237 |
ISBN (Electronic) | 978-3-030-03769-7 |
ISBN (Print) | 978-3-030-03768-0 |
DOIs | |
Publication status | Published - Nov 2018 |
Event | 18th International Conference on Runtime Verification - Limassol, Cyprus Duration: 11 Nov 2018 → 13 Nov 2018 Conference number: 18 |
Conference
Conference | 18th International Conference on Runtime Verification |
---|---|
Abbreviated title | RV |
Country/Territory | Cyprus |
City | Limassol |
Period | 11/11/18 → 13/11/18 |
Keywords
- Security
- JavaScript
- Web Applications
Fingerprint
Dive into the research topics of 'Practical Information Flow Control for Web Applications'. Together they form a unique fingerprint.Projects
- 1 Finished
-
BRGIMP4: SECLOUD - Innoviris BRIDGE 2014
De Hert, P., Nowe, A., Gonzalez Boix, E. & De Roover, C.
1/09/15 → 31/08/18
Project: Applied
Activities
- 1 Talk or presentation at a conference
-
Practical Information Flow Control for Web Applications
Angel Luis Scull Pupo (Speaker)
11 Nov 2018Activity: Talk or presentation › Talk or presentation at a conference