Section: New Results

Logical Auditing of JavaScript Programs for Security

Participants : Karthikeyan Bhargavan [correspondant] , Sergio Maffeis [Imperial College] , Ravinder Shankesi [UIUC] .

Client side web applications are error-prone and hard to secure, as proven by frequent vulnerability reports. We experiment with using logical annotations as a means to specify inlined security policies for web pages, and we implement a run-time monitoring system that generates a logical trace of the program execution. Feeding the logical trace to external theorem provers, it is possible to detect, post-facto, violations of the security policies, helping the on-line debugging of web applications.

We present JSTY a browser-based logical auditing framework for JavaScript programs. We show how first-order logic contracts can be used to express cryptographic assumptions and security goals for JavaScript ptograms that use cryptography. We demonstrate our approach on realistic examples, including browser extensions for password management. We find security vulnerabilities in commercial products by logical auditing. This work is currently unpublished.