Taint and Information Flow Analysis Using Sweet.js Macros

Publication Year:
2016
Usage 746
Downloads 681
Abstract Views 65
Social Media 10
Tweets 8
Shares, Likes & Comments 2
Repository URL:
http://scholarworks.sjsu.edu/etd_projects/468
Author(s):
Kannan, Prakasam
Tags:
javascript flow analysis security; Information Security; Programming Languages and Compilers
Most Recent Tweet View All Tweets
project description
JavaScript has been the primary language for application development in browsers and with the advent of JIT compilers, it is increasingly becoming popular on server side development as well. However, JavaScript suffers from vulnerabilities like cross site scripting and malicious advertisement code on the the client side and on the server side from SQL injection.In this paper, we present a dynamic approach to efficiently track information flow and taint detection to aid in mitigation and prevention of such attacks using JavaScript based hygienic macros. We use Sweet.js and object proxies to override built-in JavaScript operators to track information flow and detect tainted values. We also demonstrate taint detection and information flow analysis using our technique in a REST service running on Node.js.We finally present cross browser compatibility and performance metrics of our solution using the popular SunSpider benchmark on Safari, Chrome and Firefox and suggest some performance improvement techniques.