Vetting browser extensions for security vulnerabilities with VEX
Abstract
The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present VEX, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and VEX finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.
Document Details
- Document Type
- Pub Defense Publication
- Publication Date
- Sep 01, 2011
- Source ID
- 10.1145/1995376.1995398
Entities
People
- Marianne Winslett
- Nandit Tiku
- P. Madhusudan
- Samuel T. King
- Sruthi Bandhakavi
- Wyatt Pittman
Organizations
- Air Force Office of Scientific Research
- Division of Computer and Network Systems
- National Science Foundation
- Office of Naval Research
- University of Illinois Urbana–Champaign