应用安全与JSFlow

2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft) Pub Date : 2016-05-14 DOI:10.1145/2897073.2897714

Daniel Hedin

{"title":"应用安全与JSFlow","authors":"Daniel Hedin","doi":"10.1145/2897073.2897714","DOIUrl":null,"url":null,"abstract":"In the presence of attacker controlled code, popular protection mechanisms such as access control and taint tracking fail. We argue for the necessity of full information-flow control and present JSFlow, an information-flow aware interpreter for full ECMA-262(v.5). Previous work has shown that (hybrid) dynamic information-flow enforcement is a fruitful approach to enforcing secure information flow in the setting of web application. Those results naturally extend to hybrid mobile apps, with JSFlow deployed as a library.","PeriodicalId":296509,"journal":{"name":"2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"App Security with JSFlow\",\"authors\":\"Daniel Hedin\",\"doi\":\"10.1145/2897073.2897714\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In the presence of attacker controlled code, popular protection mechanisms such as access control and taint tracking fail. We argue for the necessity of full information-flow control and present JSFlow, an information-flow aware interpreter for full ECMA-262(v.5). Previous work has shown that (hybrid) dynamic information-flow enforcement is a fruitful approach to enforcing secure information flow in the setting of web application. Those results naturally extend to hybrid mobile apps, with JSFlow deployed as a library.\",\"PeriodicalId\":296509,\"journal\":{\"name\":\"2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft)\",\"volume\":\"6 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-05-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2897073.2897714\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2897073.2897714","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

在攻击者控制代码的情况下，访问控制和污染跟踪等流行的保护机制将失效。我们论证了完整信息流控制的必要性，并提出了JSFlow，一个完整ECMA-262(v.5)的信息流感知解释器。以前的工作表明，(混合)动态信息流强制是一种在web应用程序设置中强制安全信息流的有效方法。这些结果自然扩展到混合移动应用程序，JSFlow作为库部署。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

App Security with JSFlow

In the presence of attacker controlled code, popular protection mechanisms such as access control and taint tracking fail. We argue for the necessity of full information-flow control and present JSFlow, an information-flow aware interpreter for full ECMA-262(v.5). Previous work has shown that (hybrid) dynamic information-flow enforcement is a fruitful approach to enforcing secure information flow in the setting of web application. Those results naturally extend to hybrid mobile apps, with JSFlow deployed as a library.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft)

自引率

0.00%

发文量