Information Flow Control for Dynamic Reactive Systems

 It is common for reactive systems like web services to collect personal information and/or perform sensitive tasks, making information flow control (IFC) in these applications particularly important. Most existing work on IFC in reactive systems does not address the unique capabilities an attacker has in a dynamic setting (like using a script to simulate a user event, or creating a new HTML element), or else enforce strict noninterference which is too restrictive to be practical. Moreover, standard security definitions do not always translate cleanly to reactive settings. In this thesis, we revisit information flow control concepts like confidentiality, integrity, declassification, and endorsement from the perspective of a dynamic reactive system. 

We identify new ways dynamic features can leak information via declassification and propose two strategies for mitigating these risks. The first is an extension of Secure Multi-execution (SME) that treats dynamic features specially so that they do not influence declassification. The second combines SME and taint tracking to keep track of attacker influence within SME executions. We develop a new notion of "attacker influence" which has all the advantages of a knowledge-based definition, making it an intuitive and precise way to reason about security. Robust declassification follows naturally from this new security condition because we treat declassifications as trusted behaviors in our noninterference definition. Finally, we balance the tradeoff between security and performance by developing a flexible framework which allows the seamless composition of multi-execution and taint tracking techniques. This means that event handlers from different sources can be treated differently from each other, for example, according to their relative levels of trustworthiness or complexity. We find that composition can not only balance the security and performance tradeoffs of different techniques, but some compositions actually achieve stronger security guarantees compared to using one technique alone.