Tracking Information Flow in Dynamic Tree Structures

Tracking Information Flow in Dynamic Tree Structures

Typ: Seminarthema Betreuer: Christoph Scheben

Links: Paper

The focus of this paper is on information flow security. Information flow is the transfer of information from a variable x to a variable y during the execution of a program. Not all flows may be desirable. For example, a system shouldn't leak any secret (partially or not) to public observers. The paper explores the problem of tracking information flow in dynamic tree structures. Motivated by the problem of manipulating the Document Object Model (DOM) trees by browser-run client-side scripts, the authors address the dynamic nature of interactions via tree structures. The authors present a runtime enforcement mechanism that monitors this interaction and prevents a range of attacks, some of them missed by previous approaches, that exploit the tree structure in order to transfer sensitive information. The authors formalize their approach for a simple language with DOM-like tree operations and show that the monitor prevents scripts from disclosing secrets.