If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript

Abstract

A key characteristic of modern web applications is their heavy reliance on client-side JavaScript libraries. They use the libraries to achieve interactivity, reactivity, and service composition. Instead of writing their own, modern web applications developers, typically, use several third-party JavaScript libraries to achieve such level of engagement. This poses a security risk of leaking private information to illegal channels. Tracking information flow is one known technique to address such concern. This paper presents a framework that inlines a hybrid flow-sensitive security monitor for JavaScript. To our knowledge, our framework is the first in the literature to propose a hybrid flow-sensitive approach that targets JavaScript. Our approach operates as a source-to-source compiler (a transpiler), in which, the input is JavaScript source and the output is an instrumented version with the flow-sensitive security monitor inlined. Hence the output of our approach is portable JavaScript code that is not tied to a particular JavaScript engine. We start by presenting the hybrid flow-sensitive security monitor and its noninterference security property. Then we present the formalization of our inlining transpiler with respect to the hybrid monitor. We prove that the inlined version of the security monitor is observationally equivalent to the original version. Finally, we present and discuss the implementation of the inlining transpiler and assess empirically its security effectiveness and its efficiency with respect to un-instrumented code and to other implementations in the literature.