Encoding labels in values to capture information flows

摘要

Methods, servers, and systems for encoding security labels in a dynamic language value to allow cross script communications within client application while limiting the types of information that is allowed to be communicated back to a host server. Static analysis is performed during compilation, and the results are used to generate and insert additional code that updates, modifies and propagates labels (e.g., JavaScript labels) attached to values (e.g., JavaScript values) during execution of a program. To support popular language features that allow for strong integration with other web-based systems, malicious code is allowed to perform operations locally (e.g., on the client), and a detection and prevention mechanism identifies and stops malicious code from sending requests or gathered information over the network, naturalizing attacks and improving the security of applications that embed dynamic language code.

主权项

1. A method of encoding security labels in a dynamic language value, comprising:
allocating a number of bits in the dynamic language value to store encoded labels; reserving one bit in the allocated bits to signify whether security labels are encoded in a first mode or a second mode; and tagging the dynamic language value with security labels that identify an originating domain, the security labels being encoded in either the first mode or the second mode, wherein tagging the dynamic language value with security labels that identify an originating domain comprises encoding dynamic language labels in the first mode if the number of scripts accessing information from scripts originating from other domains is less than the number of allocated bits.