JSFlow:跟踪JavaScript及其api中的信息流

Daniel Hedin, Arnar Birgisson, Luciano Bello, A. Sabelfeld
{"title":"JSFlow:跟踪JavaScript及其api中的信息流","authors":"Daniel Hedin, Arnar Birgisson, Luciano Bello, A. Sabelfeld","doi":"10.1145/2554850.2554909","DOIUrl":null,"url":null,"abstract":"JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Such code provides a range of facilities from helper utilities (such as jQuery) to readily available services (such as Google Analytics and Tynt). Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing information-flow policies for the full JavaScript language, as well as tracking information in the presence of libraries, as provided by browser APIs. The interpreter is itself written in JavaScript, which enables deployment as a browser extension. Our experiments with the extension provide in-depth understanding of information manipulation by third-party scripts such as Google Analytics. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.","PeriodicalId":285655,"journal":{"name":"Proceedings of the 29th Annual ACM Symposium on Applied Computing","volume":"18 4","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"176","resultStr":"{\"title\":\"JSFlow: tracking information flow in JavaScript and its APIs\",\"authors\":\"Daniel Hedin, Arnar Birgisson, Luciano Bello, A. Sabelfeld\",\"doi\":\"10.1145/2554850.2554909\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Such code provides a range of facilities from helper utilities (such as jQuery) to readily available services (such as Google Analytics and Tynt). Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing information-flow policies for the full JavaScript language, as well as tracking information in the presence of libraries, as provided by browser APIs. The interpreter is itself written in JavaScript, which enables deployment as a browser extension. Our experiments with the extension provide in-depth understanding of information manipulation by third-party scripts such as Google Analytics. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.\",\"PeriodicalId\":285655,\"journal\":{\"name\":\"Proceedings of the 29th Annual ACM Symposium on Applied Computing\",\"volume\":\"18 4\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-03-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"176\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 29th Annual ACM Symposium on Applied Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2554850.2554909\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 29th Annual ACM Symposium on Applied Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2554850.2554909","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 176

摘要

JavaScript推动了web向强大的应用平台的发展。越来越多的web应用程序组合了来自不同提供商的服务。脚本包含机制通常会将裸机网页转变为由第三方代码构建的成熟服务。这些代码提供了一系列工具,从辅助工具(如jQuery)到现成的服务(如Google Analytics和Tynt)。包含脚本对确保集成的第三方代码尊重安全和隐私提出了挑战。本文介绍了JSFlow,一个用于细粒度跟踪信息流的安全增强的JavaScript解释器。我们将展示如何解决为完整的JavaScript语言执行信息流策略的实际挑战,以及如何跟踪浏览器api提供的库中的信息。解释器本身是用JavaScript编写的,因此可以作为浏览器扩展进行部署。我们对扩展的实验提供了对第三方脚本(如Google Analytics)的信息操纵的深入理解。我们发现,旨在提供类似服务的不同站点对用户的敏感信息采取了相当不同的安全策略:一些确保它不会离开浏览器,另一些与原始服务器共享,而另一些则自由地传播给第三方。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
JSFlow: tracking information flow in JavaScript and its APIs
JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Such code provides a range of facilities from helper utilities (such as jQuery) to readily available services (such as Google Analytics and Tynt). Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing information-flow policies for the full JavaScript language, as well as tracking information in the presence of libraries, as provided by browser APIs. The interpreter is itself written in JavaScript, which enables deployment as a browser extension. Our experiments with the extension provide in-depth understanding of information manipulation by third-party scripts such as Google Analytics. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信