1. 1

Abstract: “Many important security problems in JavaScript, such as browser extension security, untrusted JavaScript librari es and safe inte- gration of mutually distrustful websites (mash-ups), may b e effectively addressed using an efficient implementation of information fl ow control (IFC). Unfortunately existing fine-grained approaches to J avaScript IFC require modifications to the language semantics and its engi ne, a non-goal for browser applications. In this work, we take the ideas of c oarse-grained dynamic IFC and provide the theoretical foundation for a lan guage-based approach that can be applied to any programming language for which ex- ternal effects can be controlled. We then apply this formalis m to server- and client-side JavaScript, show how it generalizes to the C programming language, and connect it to the Haskell LIO system. Our metho dology offers design principles for the construction of informatio n flow control systems when isolation can easily be achieved, as well as com positional proofs for optimized concrete implementations of these sys tems, by re- lating them to their isolated variants.”

Meta-note: Tagged this as programming instead of above languages since it’s a language-neutral method. Folks filtering specific languages might be interested in language-neutral aspects.