Information flow tracking meets just-in-time compilation
Web applications are vulnerable to cross-site scripting attacks that enable data thefts. Information flow tracking in web browsers can prevent communication of sensitive data to unintended recipients and thereby stop such data thefts. Unfortunately, existing solutions have focused on incorporating i...
Gespeichert in:
| Veröffentlicht in: | ACM transactions on architecture and code optimization 2013-12, Vol.10 (4), p.1-25 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 25 |
|---|---|
| container_issue | 4 |
| container_start_page | 1 |
| container_title | ACM transactions on architecture and code optimization |
| container_volume | 10 |
| creator | Kerschbaumer, Christoph Hennigan, Eric Larsen, Per Brunthaler, Stefan Franz, Michael |
| description | Web applications are vulnerable to cross-site scripting attacks that enable data thefts. Information flow tracking in web browsers can prevent communication of sensitive data to unintended recipients and thereby stop such data thefts. Unfortunately, existing solutions have focused on incorporating information flow into browsers’ JavaScript interpreters, rather than just-in-time compilers, rendering the resulting performance noncompetitive. Few users will switch to a safer browser if it comes at the cost of significantly degrading web application performance.
We present the first information flow tracking JavaScript engine that is based on a true just-in-time compiler, and that thereby outperforms all previous interpreter-based information flow tracking JavaScript engines by more than a factor of two. Our JIT-based engine (i) has the same coverage as previous interpreter- based solutions, (ii) requires reasonable implementation effort, and (iii) introduces new optimizations to achieve acceptable performance. When evaluated against three industry-standard JavaScript benchmark suites, there is still an average slowdown of 73% over engines that do not support information flow, but this is now well within the range that many users will find an acceptable price for obtaining substantially increased security. |
| doi_str_mv | 10.1145/2541228.2555295 |
| format | Article |
| fullrecord | <record><control><sourceid>crossref</sourceid><recordid>TN_cdi_crossref_primary_10_1145_2541228_2555295</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>10_1145_2541228_2555295</sourcerecordid><originalsourceid>FETCH-LOGICAL-c1975-7609c284b1be613d752cae4ab77cb34b22cae7a2cbfe7f19f4740bd6a388bcbf3</originalsourceid><addsrcrecordid>eNo1j8lKQzEYhYMoWKtrt3mBtMmfeSnFoVBwo-uQpImk3qEkV8S31-p1dQYOBz6EbhldMSbkGqRgAGYFUkqw8gwtmBSCcKv5-b-XSl2iq9YOlIIFShfIbIc81t5PZRxw7sZPPFUf38vwhvuUpoYPH20iZSBT6ROOY38s3e_4Gl1k37V0M-sSvT7cv2yeyO75cbu525HIrJZEK2ojGBFYSIrxvZYQfRI-aB0DFwFOUXuIISedmc1CCxr2ynNjwk_Jl2j99xvr2FpN2R1r6X39coy6E7ibwd0Mzr8B0gpLzQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Information flow tracking meets just-in-time compilation</title><source>ACM Digital Library Complete</source><source>EZB-FREE-00999 freely available EZB journals</source><creator>Kerschbaumer, Christoph ; Hennigan, Eric ; Larsen, Per ; Brunthaler, Stefan ; Franz, Michael</creator><creatorcontrib>Kerschbaumer, Christoph ; Hennigan, Eric ; Larsen, Per ; Brunthaler, Stefan ; Franz, Michael</creatorcontrib><description>Web applications are vulnerable to cross-site scripting attacks that enable data thefts. Information flow tracking in web browsers can prevent communication of sensitive data to unintended recipients and thereby stop such data thefts. Unfortunately, existing solutions have focused on incorporating information flow into browsers’ JavaScript interpreters, rather than just-in-time compilers, rendering the resulting performance noncompetitive. Few users will switch to a safer browser if it comes at the cost of significantly degrading web application performance.
We present the first information flow tracking JavaScript engine that is based on a true just-in-time compiler, and that thereby outperforms all previous interpreter-based information flow tracking JavaScript engines by more than a factor of two. Our JIT-based engine (i) has the same coverage as previous interpreter- based solutions, (ii) requires reasonable implementation effort, and (iii) introduces new optimizations to achieve acceptable performance. When evaluated against three industry-standard JavaScript benchmark suites, there is still an average slowdown of 73% over engines that do not support information flow, but this is now well within the range that many users will find an acceptable price for obtaining substantially increased security.</description><identifier>ISSN: 1544-3566</identifier><identifier>EISSN: 1544-3973</identifier><identifier>DOI: 10.1145/2541228.2555295</identifier><language>eng</language><ispartof>ACM transactions on architecture and code optimization, 2013-12, Vol.10 (4), p.1-25</ispartof><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c1975-7609c284b1be613d752cae4ab77cb34b22cae7a2cbfe7f19f4740bd6a388bcbf3</citedby><cites>FETCH-LOGICAL-c1975-7609c284b1be613d752cae4ab77cb34b22cae7a2cbfe7f19f4740bd6a388bcbf3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27924,27925</link.rule.ids></links><search><creatorcontrib>Kerschbaumer, Christoph</creatorcontrib><creatorcontrib>Hennigan, Eric</creatorcontrib><creatorcontrib>Larsen, Per</creatorcontrib><creatorcontrib>Brunthaler, Stefan</creatorcontrib><creatorcontrib>Franz, Michael</creatorcontrib><title>Information flow tracking meets just-in-time compilation</title><title>ACM transactions on architecture and code optimization</title><description>Web applications are vulnerable to cross-site scripting attacks that enable data thefts. Information flow tracking in web browsers can prevent communication of sensitive data to unintended recipients and thereby stop such data thefts. Unfortunately, existing solutions have focused on incorporating information flow into browsers’ JavaScript interpreters, rather than just-in-time compilers, rendering the resulting performance noncompetitive. Few users will switch to a safer browser if it comes at the cost of significantly degrading web application performance.
We present the first information flow tracking JavaScript engine that is based on a true just-in-time compiler, and that thereby outperforms all previous interpreter-based information flow tracking JavaScript engines by more than a factor of two. Our JIT-based engine (i) has the same coverage as previous interpreter- based solutions, (ii) requires reasonable implementation effort, and (iii) introduces new optimizations to achieve acceptable performance. When evaluated against three industry-standard JavaScript benchmark suites, there is still an average slowdown of 73% over engines that do not support information flow, but this is now well within the range that many users will find an acceptable price for obtaining substantially increased security.</description><issn>1544-3566</issn><issn>1544-3973</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2013</creationdate><recordtype>article</recordtype><recordid>eNo1j8lKQzEYhYMoWKtrt3mBtMmfeSnFoVBwo-uQpImk3qEkV8S31-p1dQYOBz6EbhldMSbkGqRgAGYFUkqw8gwtmBSCcKv5-b-XSl2iq9YOlIIFShfIbIc81t5PZRxw7sZPPFUf38vwhvuUpoYPH20iZSBT6ROOY38s3e_4Gl1k37V0M-sSvT7cv2yeyO75cbu525HIrJZEK2ojGBFYSIrxvZYQfRI-aB0DFwFOUXuIISedmc1CCxr2ynNjwk_Jl2j99xvr2FpN2R1r6X39coy6E7ibwd0Mzr8B0gpLzQ</recordid><startdate>201312</startdate><enddate>201312</enddate><creator>Kerschbaumer, Christoph</creator><creator>Hennigan, Eric</creator><creator>Larsen, Per</creator><creator>Brunthaler, Stefan</creator><creator>Franz, Michael</creator><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>201312</creationdate><title>Information flow tracking meets just-in-time compilation</title><author>Kerschbaumer, Christoph ; Hennigan, Eric ; Larsen, Per ; Brunthaler, Stefan ; Franz, Michael</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c1975-7609c284b1be613d752cae4ab77cb34b22cae7a2cbfe7f19f4740bd6a388bcbf3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2013</creationdate><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Kerschbaumer, Christoph</creatorcontrib><creatorcontrib>Hennigan, Eric</creatorcontrib><creatorcontrib>Larsen, Per</creatorcontrib><creatorcontrib>Brunthaler, Stefan</creatorcontrib><creatorcontrib>Franz, Michael</creatorcontrib><collection>CrossRef</collection><jtitle>ACM transactions on architecture and code optimization</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Kerschbaumer, Christoph</au><au>Hennigan, Eric</au><au>Larsen, Per</au><au>Brunthaler, Stefan</au><au>Franz, Michael</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Information flow tracking meets just-in-time compilation</atitle><jtitle>ACM transactions on architecture and code optimization</jtitle><date>2013-12</date><risdate>2013</risdate><volume>10</volume><issue>4</issue><spage>1</spage><epage>25</epage><pages>1-25</pages><issn>1544-3566</issn><eissn>1544-3973</eissn><abstract>Web applications are vulnerable to cross-site scripting attacks that enable data thefts. Information flow tracking in web browsers can prevent communication of sensitive data to unintended recipients and thereby stop such data thefts. Unfortunately, existing solutions have focused on incorporating information flow into browsers’ JavaScript interpreters, rather than just-in-time compilers, rendering the resulting performance noncompetitive. Few users will switch to a safer browser if it comes at the cost of significantly degrading web application performance.
We present the first information flow tracking JavaScript engine that is based on a true just-in-time compiler, and that thereby outperforms all previous interpreter-based information flow tracking JavaScript engines by more than a factor of two. Our JIT-based engine (i) has the same coverage as previous interpreter- based solutions, (ii) requires reasonable implementation effort, and (iii) introduces new optimizations to achieve acceptable performance. When evaluated against three industry-standard JavaScript benchmark suites, there is still an average slowdown of 73% over engines that do not support information flow, but this is now well within the range that many users will find an acceptable price for obtaining substantially increased security.</abstract><doi>10.1145/2541228.2555295</doi><tpages>25</tpages><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 1544-3566 |
| ispartof | ACM transactions on architecture and code optimization, 2013-12, Vol.10 (4), p.1-25 |
| issn | 1544-3566 1544-3973 |
| language | eng |
| recordid | cdi_crossref_primary_10_1145_2541228_2555295 |
| source | ACM Digital Library Complete; EZB-FREE-00999 freely available EZB journals |
| title | Information flow tracking meets just-in-time compilation |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T00%3A48%3A55IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-crossref&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Information%20flow%20tracking%20meets%20just-in-time%20compilation&rft.jtitle=ACM%20transactions%20on%20architecture%20and%20code%20optimization&rft.au=Kerschbaumer,%20Christoph&rft.date=2013-12&rft.volume=10&rft.issue=4&rft.spage=1&rft.epage=25&rft.pages=1-25&rft.issn=1544-3566&rft.eissn=1544-3973&rft_id=info:doi/10.1145/2541228.2555295&rft_dat=%3Ccrossref%3E10_1145_2541228_2555295%3C/crossref%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |