Arnar Birgisson

JSFlow: tracking information flow in JavaScript and its APIs

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Such code provides a range of facilities from helper utilities (such as jQuery) to readily available services (such as Google Analytics and Tynt). Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents JSFlow, a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing information-flow policies for the full JavaScript language, as well as tracking information in the presence of libraries, as provided by browser APIs. The interpreter is itself written in JavaScript, which enables deployment as a browser extension. Our experiments with the extension provide in-depth understanding of information manipulation by third-party scripts such as Google Analytics. We find that different sites intended to provide similar services effectuate rather different security policies for the users sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

Enforcing authorization policies using transactional memory introspection

Correct enforcement of authorization policies is a difficult task, especially for multi-threaded software. Even in carefully-reviewed code, unauthorized access may be possible in subtle corner cases. We introduce Transactional Memory Introspection (TMI), a novel reference monitor architecture that builds on Software Transactional Memory--a new, attractive alternative for writing correct, multi-threaded software. TMI facilitates correct security enforcement by simplifying how the reference monitor integrates with software functionality. TMI can ensure complete mediation of security-relevant operations, eliminate race conditions related to security checks, and simplify handling of authorization failures. We present the design and implementation of a TMI-based reference monitor and experiment with its use in enforcing authorization policies on four significant servers. Our experiments confirm the benefits of the TMI architecture and show that it imposes an acceptable runtime overhead.

Unifying facets of information integrity

Information integrity is a vital security property in a variety of applications. However, there is more than one facet to integrity: interpretations of integrity in different contexts include integrity via information flow, where the key is that trusted output is independent from untrusted input, and integrity via invariance, where the key is preservation of an invariant. Furthermore, integrity via invariance is itself multi-faceted. For example, the literature features formalizations of invariance as predicate preservation (predicate invariance), which is not directly compatible with invariance of memory values (value invariance). This paper offers a unified framework for integrity policies that include all of the facets above. Despite the different nature of these facets, we show that a straightforward enforcement mechanism adapted from the literature is readily available for enforcing all of the integrity facets at once.

Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing

Tracking information flow in dynamic languages remains an open challenge. It might seem natural to address the challenge by runtime monitoring. However, there are well-known fundamental limits of dynamic flow-sensitive tracking of information flow, where paths not taken in a given execution contribute to information leaks. This paper shows how to overcome the permissiveness limit for dynamic analysis by a novel use of testing. We start with a program supervised by an information-flow monitor. The security of the execution is guaranteed by the monitor. Testing boosts the permissiveness of the monitor by discovering paths where the monitor raises security exceptions. Upon discovering a security error, the program is modified by injecting an annotation that prevents the same security exception on the next run of the program. The elegance of the approach is that it is sound no matter how much coverage is provided by the testing. Further, we show that when the mechanism has discovered the necessary annotations, then we have an accuracy guarantee: the results of monitoring a program are at least as accurate as flow-sensitive static analysis. We illustrate our approach for a simple imperative language with records and exceptions. Our experiments with the QuickCheck tool indicate that random testing accurately discovers annotations for a collection of scenarios with rich information flows.

Capabilities for information flow

This paper presents a capability-based mechanism for permissive yet secure enforcement of information-flow policies. Language capabilities have been studied widely, and several popular implementations, such as Caja and Joe-E, are available. By making the connection from capabilities to information flow, we enable smooth enforcement of information-flow policies using capability systems. The paper presents a transformation that given an arbitrary source program in a simple imperative language produces a secure program in a language with capabilities. We present formal guarantees of security and permissiveness and report on experiments to enforce information-flow policies for web applications using Caja.

An implementation and semantics for transactional memory introspection in Haskell

Transactional Memory Introspection (TMI) is a novel reference monitor architecture that provides complete mediation, freedom from time of check to time of use bugs and improved failure handling for authorization. TMI builds on and integrates with implementations of the Software Transactional Memory (STM) architecture [Harris and Fraser 2003]. In this paper we present a formal definition of TMI and a concrete implementation over the Haskell STM. We find that this specification and reference implementation establishes clear semantics for the TMI architecture. In particular, they help identify and resolve ambiguities that apply to implementations such in our prior work [Birgisson et al. 2008].

Multi-run security

This paper explores information-flow control for batch-job programs that are allowed to be re-run with new input provided by the attacker. We argue that directly adapting two major security definitions for batch-job programs, termination-sensitive and termination-insensitive noninterference, to multirun execution would result in extremes. While the former readily scales up to multiple runs, its enforcement is typically over-restrictive. The latter suffers from insecurity: secrets can be leaked in their entirety by multiple runs of programs that are secure according to batch-job termination-insensitive noninterference. Seeking to avoid the extremes, we present a framework for specifying and enforcing multirun security in an imperative language. The policy framework is based on tracking the attackers knowledge about secrets obtained by multiple program runs. Inspired by previous work on robustness, the key ingredient of our type-based enforcement for multi-run security is preventing the dangerous combination of attacker-controlled data and secret data from affecting program termination.

Differential privacy with information flow control

We investigate the integration of two approaches to information security: information flow analysis, in which the dependence between secret inputs and public outputs is tracked through a program, and differential privacy, in which a weak dependence between input and output is permitted but provided only through a relatively small set of known differentially private primitives. We find that information flow for differentially private observations is no harder than dependency tracking. Differential privacys strong guarantees allow for efficient and accurate dynamic tracking of information flow, allowing the use of existing technology to extend and improve the state of the art for the analysis of differentially private computations.

An implementation and semantics for transactional memory introspection in Haskell (abstract only)

Transactional Memory Introspection (TMI) is a novel reference monitor architecture that provides complete mediation, freedom from time of check to time of use bugs and improved failure handling for authorization. TMI builds on and integrates with implementations of the Software Transactional Memory (STM) architecture [Harris and Fraser 2003]. In this paper we present a formal definition of TMI and a concrete implementation over the Haskell STM. We find that this specification and reference implementation establishes clear semantics for the TMI architecture. In particular, they help identify and resolve ambiguities that apply to implementations such in our prior work [Birgisson et al. 2008].