Vetting browser extensions for security vulnerabilities with Vex

Sruthi Bandhakavi; Nandit Tiku; Wyatt Pittman; Samuel T. King; P. Madhusudan; Marianne Winslett

doi:10.1145/1995376.1995398

Vetting browser extensions for security vulnerabilities with Vex

Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, Marianne Winslett

Research output: Contribution to journal › Article › peer-review

Abstract

The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present Vex, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. Vex analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and Vex finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.

Original language	English (US)
Pages (from-to)	91-99
Number of pages	9
Journal	Communications of the ACM
Volume	54
Issue number	9
DOIs	https://doi.org/10.1145/1995376.1995398
State	Published - Sep 2011

ASJC Scopus subject areas

Computer Science(all)

Online availability

10.1145/1995376.1995398

Library availability

Discover UIUC Full Text

Cite this

@article{4d89539a52434bffb7dfb6e60b3242b9,

title = "Vetting browser extensions for security vulnerabilities with Vex",

abstract = "The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present Vex, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. Vex analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and Vex finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.",

author = "Sruthi Bandhakavi and Nandit Tiku and Wyatt Pittman and King, {Samuel T.} and P. Madhusudan and Marianne Winslett",

year = "2011",

month = sep,

doi = "10.1145/1995376.1995398",

language = "English (US)",

volume = "54",

pages = "91--99",

journal = "Communications of the ACM",

issn = "0001-0782",

publisher = "Association for Computing Machinery",

number = "9",

}

TY - JOUR

T1 - Vetting browser extensions for security vulnerabilities with Vex

AU - Bandhakavi, Sruthi

AU - Tiku, Nandit

AU - Pittman, Wyatt

AU - King, Samuel T.

AU - Madhusudan, P.

AU - Winslett, Marianne

PY - 2011/9

Y1 - 2011/9

N2 - The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present Vex, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. Vex analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and Vex finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.

AB - The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present Vex, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. Vex analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and Vex finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.

UR - http://www.scopus.com/inward/record.url?scp=80052322972&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80052322972&partnerID=8YFLogxK

U2 - 10.1145/1995376.1995398

DO - 10.1145/1995376.1995398

M3 - Article

AN - SCOPUS:80052322972

SN - 0001-0782

VL - 54

SP - 91

EP - 99

JO - Communications of the ACM

JF - Communications of the ACM

IS - 9

ER -

Vetting browser extensions for security vulnerabilities with Vex

Abstract

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this