We present our journey to analyze and find bugs in javascriptwebapplications in the wild. We describe technical challenges in analyzing them and our solutions to address the challenges via a series of open source an...
详细信息
We present our journey to analyze and find bugs in javascriptwebapplications in the wild. We describe technical challenges in analyzing them and our solutions to address the challenges via a series of open source analysis frameworks, the scalable analysis framework for ECMAscript (SAFE) family.
We propose a novel mechanism for enforcing information flow policies with support for declassification on event-driven programs. Declassification policies consist of two functions. First, a projection function specifi...
详细信息
ISBN:
(纸本)9781479942909
We propose a novel mechanism for enforcing information flow policies with support for declassification on event-driven programs. Declassification policies consist of two functions. First, a projection function specifies for each confidential event what information in the event can be declassified directly. This generalizes the traditional security labelling of inputs. Second, a stateful release function specifies the aggregate information about all confidential events seen so far that can be declassified. We provide evidence that such declassification policies are useful in the context of javascriptwebapplications. An enforcement mechanism for our policies is presented and its soundness and precision is proven. Finally, we give evidence of practicality by implementing and evaluating the mechanism in a browser.
暂无评论