jsflow

JSFlow

JSFlow is a security-enhanced JavaScript interpreter for fine-grained tracking of information flow. JSFLow

supports full non-strict ECMA-262 v.5 (pdf) including the standard API,
provides dynamic (runtime) tracking and verification of security labels,
is written in JavaScript, which enables flexibility in the deployment of JSFlow.

You can download the source of JSFlow and run it using node.js. In addition, we invite you to try the console, or tackle the challenge.

Download JSFlow v1.1

Publications

JSFlow rests on a solid theroetical foundation of dynamic information flow for JavaScript.

Information Flow Tracking for Side-effectful Libraries.
Alexander Sjösten, Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the International Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE) Madrid, Spain, June 2018.

A Principled Approach to Tracking Information Flow in the Presence of Libraries.
Daniel Hedin, Alexander Sjösten, Frank Piessens, and Andrei Sabelfeld
In Proceedings of the International Conference on Principles of Security and Trust (POST) Uppsala, Sweden, April 2017.

Value Sensitivity and Observable Abstract Values for Information Flow Control.
Luciano Bello, Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the International Conferences on Logic for Programming, Artificial Intelligence and Reasoning (LPAR) Suva, Fiji, November 2015.

Value-sensitive Hybrid Information Flow Control for a JavaScript-like Language.
Daniel Hedin, Luciano Bello, and Andrei Sabelfeld
In Proceedings of the IEEE Computer Security Foundations Symposium (CSF) Verona, Italy, July 2015.

JSFlow: Tracking Information Flow in JavaScript and its APIs.
Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld
In Proceedings of the ACM Symposium on Applied Computing (SAC), Gyeongju, Korea, March 2014

Architectures for Inlining Security Monitors in Web Application.
Jonas Magazinius, Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS), Munich, Germany, February 2014.

Information-flow security for a core of JavaScript.
Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the IEEE Computer Security Foundations Symposium, Harvard University, Cambridge MA, June 25-27, 2012. IEEE Computer Society Press.

Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing.
Arnar Birgisson, Daniel Hedin, and Andrei Sabelfeld
In Proceedings of the European Symposium on Research in Computer Security (ESORICS), Pisa, Italy, September 2012, LNCS, Springer-Verlag.

Contributors

JSFlow is developed by Andrei Sabelfeld's research group at the Department of Computer Science and Engineering, Chalmers University of Technology, Gothenburg, Sweden and Daniel Hedin, Mälardalen University, Västerås, Sweden.

Past contributors

Acknowledgments

This work has been partly funded by the European Community under the ProSecuToR, WebSand, and FlowShield projects and the Swedish Foundation for Strategic Research (SSF) under the WebSec project.