Language-Based Security for Web Applications

In support of our daily tasks, web applications are provided with sensitive information such as banking accounts numbers, social security information, etc. Therefore, it is expected that the developers of such applications rely on adequate tools offered by JavaScript and browsers to help them develop secure applications. However, neither JavaScript nor browser security mechanisms fully address modern application security needs.
Many language-based access control and information flow control approaches have been proposed for securing client-side web applications. However, designing a security mechanism supporting the combination of features such as portability, performance, and many awkward features of JavaScript and browsers is still problematic. Furthermore, in the soft- ware development life-cycle it is important to verify the same set of access control and information flow policies during development (static) and production (dynamic).
However, the current state of the art does not allow a safe and efficient combination of static and dynamic enforcement of a shared set of security policies, forcing developers to reimplement and maintain the same policies and their enforcement code in both static and dynamic environments.
This thesis explores language-based access control and information flow control policies for securing client-side web applications.
First, we present Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. Guardia combines an internal declarative policy specification language with a decoupled enforcement mechanism, making it possible to experiment with different enforcement techniques that do not require VM modifications.
Second, we present Gifc, a permissive-upgrade-based inlined monitoring mechanism to detect unwanted information flow in client-side web

applications. Gifc covers a wide range of JavaScript features that give rise to implicit flows. In contrast to related work, Gifc also handles dynamic code evaluation online, and it features an API function model mechanism that enables information tracking through APIs calls. As a result, Gifc can handle information flows that use DOM nodes as channels of information.
Based on Guardia and Gifc, we develop a novel technique for deriving Static Application Security Testing (SAST) from an existing Runtime Application Security Protection (RASP) mechanism using a two-phase abstract interpretation approach. In our approach, the SAST component avoids duplicating the effort of specifying security policies and implement- ing their semantics. The RASP mechanism enforces security policies by instrumenting a base program to trap security-relevant operations and execute the required policy enforcement code. The first phase of the SAST mechanism computes a flow graph of the application by statically analyzing the base program without any traps. The results of this first phase are used in a second phase to detect trapped operations and abstractly execute the associated and unaltered RASP policy enforcement code. De- riving a SAST component from a RASP mechanism ensures equivalent semantics for the security policies across the static and dynamic contexts in which policies are verified during the software development life-cycle.