Vetting browser extensions for security vulnerabilities with Vex

Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, Marianne Winslett

Research output: Contribution to journalArticle

Abstract

The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present Vex, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. Vex analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and Vex finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.

Original languageEnglish (US)
Pages (from-to)91-99
Number of pages9
JournalCommunications of the ACM
Volume54
Issue number9
DOIs
StatePublished - Sep 1 2011

    Fingerprint

ASJC Scopus subject areas

  • Computer Science(all)

Cite this