The program dependence graph and its use in optimization
ACM Transactions on Programming Languages and Systems (TOPLAS)
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Abstract interpretation of operational semantics for secure information flow
Information Processing Letters
Slicing Programs with Arbitrary Control-flow
AADEBUG '93 Proceedings of the First International Workshop on Automated and Algorithmic Debugging
Slicing java programs that throw and catch exceptions
Proceedings of the 2003 ACM SIGPLAN workshop on Partial evaluation and semantics-based program manipulation
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Points-to analysis for JavaScript
Proceedings of the 2009 ACM symposium on Applied Computing
Staged information flow for javascript
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
SAS '09 Proceedings of the 16th International Symposium on Static Analysis
International Journal of Information Security
Analyzing Information Flow in JavaScript-Based Browser Extensions
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
An empirical study of privacy-violating information flows in JavaScript web applications
Proceedings of the 17th ACM conference on Computer and communications security
VEX: vetting browser extensions for security vulnerabilities
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Securing script-based extensibility in web browsers
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Verified Security for Browser Extensions
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Automated Analysis of Security-Critical JavaScript APIs
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Modeling the HTML DOM and browser API in static analysis of JavaScript web applications
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
Static analysis of string values
ICFEM'11 Proceedings of the 13th international conference on Formal methods and software engineering
Information flow analysis for javascript
Proceedings of the 1st ACM SIGPLAN international workshop on Programming language and systems technologies for internet clients
Towards type inference for javascript
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
FAST'05 Proceedings of the Third international conference on Formal Aspects in Security and Trust
Language-based information-flow security
IEEE Journal on Selected Areas in Communications
Information-Flow Security for a Core of JavaScript
CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
An analysis of the mozilla jetpack extension framework
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Type-based dependency analysis for javascript
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Hi-index | 0.00 |
JavaScript-based browser addons are a tempting target for malicious developers---addons have high privileges and ready access to a browser user's confidential information, and they have none of the usual sandboxing or other security restrictions used for client-side webpage JavaScript. Therefore, vetting third-party addons is important both for addon users and for the browser providers that host official addon repositories. The current state-of-the-art vetting methodology is manual and ad-hoc, which makes the vetting process difficult, tedious, and error-prone. In this paper, we propose a method to help automate this vetting process. We describe a novel notion of addon security signatures, which provide detailed information about an addon's information flows and API usage, along with a novel static analysis to automatically infer these signatures from the addon code. We implement our analysis and empirically evaluate it on a benchmark suite consisting of ten real browser addons taken from the official Mozilla addon repository. Our results show that our analysis is practical and useful for vetting browser addons.