Taint and Information Flow Analysis Using Sweet.js Macros

Author

Prakasam Kannan, San Jose State University

Publication Date

Spring 2016

Degree Type

Master's Project

Degree Name

Master of Science (MS)

Department

Computer Science

First Advisor

Tom Austin

Second Advisor

Mark Stamp

Third Advisor

Ron Mak

Keywords

javascript flow analysis security

Abstract

JavaScript has been the primary language for application development in browsers and with the advent of JIT compilers, it is increasingly becoming popular on server side development as well. However, JavaScript suffers from vulnerabilities like cross site scripting and malicious advertisement code on the the client side and on the server side from SQL injection.

In this paper, we present a dynamic approach to efficiently track information flow and taint detection to aid in mitigation and prevention of such attacks using JavaScript based hygienic macros. We use Sweet.js and object proxies to override built-in JavaScript operators to track information flow and detect tainted values. We also demonstrate taint detection and information flow analysis using our technique in a REST service running on Node.js.

We finally present cross browser compatibility and performance metrics of our solution using the popular SunSpider benchmark on Safari, Chrome and Firefox and suggest some performance improvement techniques.

Recommended Citation

Kannan, Prakasam, "Taint and Information Flow Analysis Using Sweet.js Macros" (2016). Master's Projects. 468.
DOI: https://doi.org/10.31979/etd.qsyz-fu42
https://scholarworks.sjsu.edu/etd_projects/468