Skip to Main content Skip to Navigation
Conference papers

Modular Monitor Extensions for Information Flow Security in JavaScript

Abstract : Client-side JavaScript programs often interact with the web page into which they are included, as well as with the browser itself, through APIs such as the DOM API, the XMLHttpRequest API, and the W3C Geolocation API. Precise reasoning about JavaScript security must therefore take API invocation into account. However, the continuous emergence of new APIs, and the het-erogeneity of their forms and features, renders API behavior a moving target that is particularly hard to capture. To tackle this problem, we propose a methodology for modularly extending sound JavaScript information flow monitors with a generic API. Hence, to verify whether an extended monitor complies with the proposed noninterference property requires only to prove that the API satisfies a predefined set of conditions. In order to illustrate the practicality of our methodology, we show how an information flow monitor-inlining compiler can take into account the invocation of arbitrary APIs, without changing the code or the proofs of the original compiler. We provide an implementation of such a compiler with an extension for handling a fragment of the DOM Core Level 1 API. Furthermore, our implementation supports the addition of monitor extensions for new APIs at runtime.
Document type :
Conference papers
Complete list of metadatas

Cited literature [22 references]  Display  Hide  Download
Contributor : Tamara Rezk <>
Submitted on : Monday, December 21, 2015 - 3:28:57 PM
Last modification on : Thursday, January 11, 2018 - 4:36:45 PM
Document(s) archivé(s) le : Saturday, April 29, 2017 - 11:25:26 PM


Publisher files allowed on an open archive




  • HAL Id : hal-01247123, version 1



José Fragoso Santos, Tamara Rezk, Ana Almeida Matos. Modular Monitor Extensions for Information Flow Security in JavaScript. Trustworthy Global Computing, 2015, Madrid, Spain. ⟨hal-01247123⟩



Record views


Files downloads