The dynamic nature of JavaScript web applications has given rise to
the possibility of privacy violating information flows. We present an
empirical study of the prevalence of such flows on a large number of
popular websites. We have
(1) designed an expressive, �ne-grained information flow policy
language that allows us to specify and detect diff erent kinds of
privacy-violating
flows in JavaScript code,
(2) implemented a new rewriting-based JavaScript information flow
engine within the Chrome browser, and
(3) used the enhanced browser to conduct a large-scale empirical study
over the Alexa global top 50,000 websites of four privacy violating
flows: cookie stealing, location hijacking, history sniffng, and
behavior tracking.
The survey shows several popular sites, including Alexa global top-100
sites, use privacy-violating flows to exfi�ltrate information about
users'
browsing behavior. The findings show that steps must be taken to
mitigate the privacy threat from covert flows in browsers.
The entire research paper by Dongseok Jang, Ranjit Jhala, Sorin Lerner
and Hovav Shacham can be found her:
http://cseweb.ucsd.edu/~d1jang/papers/ccs10.pdf
other files at this location:
http://cseweb.ucsd.edu/~d1jang/papers/
--
You received this message because you are subscribed to the Google Groups
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/nforceit?hl=en-GB.
