Vetting browser extensions for security vulnerabilities with VEX

Authors:
Sruthi Bandhakavi;Nandit Tiku;Wyatt Pittman;Samuel T. King;P. Madhusudan;Marianne Winslett
Affiliations:
University of Illinois at Urbana, Champaign;University of Illinois at Urbana, Champaign;University of Illinois at Urbana, Champaign;University of Illinois at Urbana, Champaign;University of Illinois at Urbana, Champaign;University of Illinois at Urbana, Champaign
Venue:
Communications of the ACM
Year:
2011

Citing 12
Cited 3

JavaScript instrumentation for browser security

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Extensible Web Browser Security

DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Proceedings of the 6th Asian Symposium on Programming Languages and Systems

APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
An Operational Semantics for JavaScript

APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
JavaScript Instrumentation in Practice

APLAS '08 Proceedings of the 6th Asian Symposium on Programming Languages and Systems
Staged information flow for javascript

Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Language-Based Isolation of Untrusted JavaScript

CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Analyzing Information Flow in JavaScript-Based Browser Extensions

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
The essence of javascript

ECOOP'10 Proceedings of the 24th European conference on Object-oriented programming
VEX: vetting browser extensions for security vulnerabilities

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Securing script-based extensibility in web browsers

USENIX Security'10 Proceedings of the 19th USENIX conference on Security

Towards fine-grained access control on browser extensions

ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
An analysis of the mozilla jetpack extension framework

ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Securing legacy firefox extensions with SENTINEL

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	48.22

Visualization

Abstract

The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present VEX, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and VEX finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.