Detection and mitigation of malicious JavaScript using information flow control

JavaScript is the main language used to provide the client-side functionality of the modern web. It is used in many applications that provide high interactivity with the end-user. These applications range from mapping applications to online games. In recent years, cyber-criminals started focusing on attacking the visitors of legitimate websites and social networks rather than attacking the websites themselves. The dynamic nature of the JavaScript language and its tangled usage with other web technologies in modern web applications makes it hard to reason about its code statically. This poses the need to develop effective mechanisms for detecting and mitigating malicious JavaScript code on the client-side of the web. In this paper, we address the above challenges by developing a framework that detects and mitigates the flow of sensitive information on the client-side to illegal channels. The proposed model uses information flow control dynamically at run-time to track sensitive information and prevents its leakage. In order to realize the model, we extend the operational semantics of JavaScript to enable the control of information flow inside web browsers.