Treffer: If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript.

A key characteristic of modern web applications is their heavy reliance on client-side JavaScript libraries. They use the libraries to achieve interactivity, reactivity, and service composition. Instead of writing their own, modern web applications developers, typically, use several third-party JavaScript libraries to achieve such level of engagement. This poses a security risk of leaking private information to illegal channels. Tracking information flow is one known technique to address such concern. This paper presents a framework that inlines a hybrid flow-sensitive security monitor for JavaScript. To our knowledge, our framework is the first in the literature to propose a hybrid flow-sensitive approach that targets JavaScript. Our approach operates as a source-to-source compiler (a transpiler), in which, the input is JavaScript source and the output is an instrumented version with the flow-sensitive security monitor inlined. Hence the output of our approach is portable JavaScript code that is not tied to a particular JavaScript engine. We start by presenting the hybrid flow-sensitive security monitor and its noninterference security property. Then we present the formalization of our inlining transpiler with respect to the hybrid monitor. We prove that the inlined version of the security monitor is observationally equivalent to the original version. Finally, we present and discuss the implementation of the inlining transpiler and assess empirically its security effectiveness and its efficiency with respect to un-instrumented code and to other implementations in the literature. [ABSTRACT FROM AUTHOR]

Copyright of Computers & Security is the property of Pergamon Press - An Imprint of Elsevier Science and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)