Information Flow Tracking for Side-Effectful Libraries

Sjösten, Alexander; Hedin, Daniel; Sabelfeld, Andrei

doi:10.1007/978-3-319-92612-4_8

Cited by 2 publications

(2 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This involves the following steps: (i) pushing the taint value corresponding to the receiver expression a onto the stack (line 24), (ii) pushing the taint value corresponding to the index expression 1 onto the stack (line 25), (iii) computing the taint value that is to be written and pushing it onto the stack (lines 26-32), (iv) generating a writeprop instruction to associate this value with the specified array element (line 33) without removing it from the stack (see instruction Ins writeprop in Figure 8), and (v) discarding the value computed by the assignment (line 34) 8 . Here, step (iii) reflects the evaluation of the expression process.argv [2], which involves retrieving the taint value associated with property argv of object process (lines [26][27][28], and retrieving the taint value associated with element 2 of the array (lines [29][30]. At this point, taint is introduced by discarding the previously read taint value (line 31) and pushing a taint value '(example.js:3:8)' (line 32).…”

Section: Example: Generating Instructionsmentioning

confidence: 99%

See 1 more Smart Citation

Platform-Independent Dynamic Taint Analysis for JavaScript

Karim

Tip

Sochurkova³

et al. 2020

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Previous approaches to dynamic taint analysis for JavaScript are implemented directly in a browser or JavaScript engine, limiting their applicability to a single platform and requiring ongoing maintenance as platforms evolve, or they require nontrivial program transformations. We present an approach that relies on instrumentation to encode taint propagation as instructions for an abstract machine. Our approach has two key advantages: it is platform-independent and can be used with any existing JavaScript engine, and it can track taint on primitive values without requiring the introduction of wrapper objects. Furthermore, our technique enables multiple deployment scenarios by varying when and where the generated instructions are executed and it supports indirect taint sources, i.e., situations where taint enters an application via arguments passed to dynamically registered event-listener functions. We implemented the technique for the ECMAScript 5 language in a tool called Ichnaea, and evaluated it on 22 NPM modules containing several types of injection vulnerabilities, including 4 modules containing vulnerabilities that were not previously discovered and reported. On these modules, run-time overheads range from 3.17x to 38.42x, which is significantly better than a previous transformation-based technique. We also report on a case study that shows how Ichnaea can be used to detect privacy leaks in a Tizen web application for the Samsung Gear S2 smart watch.

show abstract

Section: Example: Generating Instructionsmentioning

confidence: 99%

“…Currently, JSFlow does not run on the Node.js applications that we consider due the absence of models for Node.js native functions. Later work by Hedin et al [29] and Sjösten et al [30] is concerned with developing concise models for tracking information flow in libraries, focusing on a small functional language in each case.…”

Section: Related Workmentioning

confidence: 99%