VEX: Vetting Browser Extensions For Security Vulnerabilities

VEX: Vetting Browser Extensions For Security Vulnerabilities

Cached

Download Links

by Sruthi Bandhakavi , Samuel T. King , P. Madhusudan , Marianne Winslett

Citations:

BibTeX

@MISC{Bandhakavi_vex:vetting,
    author = {Sruthi Bandhakavi and Samuel T. King and P. Madhusudan and Marianne Winslett},
    title = {VEX: Vetting Browser Extensions For Security Vulnerabilities},
    year = {}
}

Bookmark

OpenURL

Abstract

The browser has become the de facto platform for everyday computation. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which does not scale well and is subject to human error. In this paper, we present VEX, a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions. We describe several patterns of flows as well as unsafe programming practices that may lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We analyze thousands of browser extensions, and VEX finds six exploitable vulnerabilities, three of which were previously unknown. VEX also finds hundreds of examples of bad programming practices that may lead to security vulnerabilities. We show that compared to current Mozilla extension review tools, VEX greatly reduces the human burden for manually vetting extensions when looking for key types of dangerous flows. 1

Citations

1016	Proof-carrying code - Necula - 1997
561	Exokernel: An operating system architecture for application-level resource management - Engler, Kaashoek, et al. - 1995
340	A Secure Environment for Untrusted Helper Applications - Goldberg, Wagner, et al. - 1996
238	Dealing with disaster: Surviving misbehaved kernel extensions - Seltzer, Endo, et al. - 1996
111	Static detection of security vulnerabilities in scripting languages - Xie, Aiken - 2006
102	E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities - Jovanovic, Kruegel, et al. - 2006
91	Finding security vulnerabilities in Java applications with static analysis - Livshits, Lam - 2005
59	XFI: Software Guards for System Address Spaces - ERLINGSSON, ABADI, et al.
58	Safedrive: Safe and Recoverable Extensions using Language-Based Techniques - Zhou, Condit, et al. - 2006
49	Saner: Composing static and dynamic analysis to validate sanitization in web applications - Balzarotti, Cova, et al. - 2008
47	Secure web browsing with the OP web browser - Grier, Tang, et al. - 2008
42	Javascript instrumentation for browser security - YU, CHANDER, et al.
34	Gatekeeper: mostly static enforcement of security and reliability policies for JavaScript code - Guarnieri, Livshits - 2009
34	Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis - Vogt, Nentwich, et al. - 2007
33	The multi-principal os construction of the gazelle web browser - Wang, Grier, et al. - 2009
29	Staged information flow for javascript - CHUGH, MEISTER, et al. - 2009
27	Information flow analysis in logical form - Amtoft, Banerjee - 2004
25	Protecting browsers from extension vulnerabilities, 2009. 14 - Barth, Felt, et al. - 2007
24	A symbolic execution framework for javascript - Saxena, Akhawe, et al.
22	An operational semantics for JavaScript - Maffeis, Mitchell, et al. - 2008
15	Language-based isolation of untrusted javascript - Maffeis, Taly - 2009
13	Analyzing information flow in javascript-based browser extensions - Dhawan, Ganapathy - 2009
12	The essence of Javascript, in - Guha, Saftoiu, et al. - 2010
6	JavaScript instrumentation in practice - Kikuchi, Yu, et al. - 2008
6	Identifying cross site scripting vulnerabilities in web applications - Lucca, Fasolino, et al. - 2004
5	Abusing Firefox Extensions. Defcon17 - Liverani, Freeman
5	Extensible web browser security - Louw, Lim, et al. - 2007
1	The Greasemonkey Firefox extension. https://addons.mozilla.org/en-US/ firefox/addon/748 - Boodman
1	Fizzle RSS Feed HTML Injection Vulnerability. http://www.securityfocus - MauleR
1	Cross context scripting with Firefox - Freeman, Liverani - 2010
1	Exploiting cross context scripting vulnerabilities - Freeman, Liverani
1	NoScript Firefox extension. http:// noscript.net - IAOSS
1	RDF in fifty words or less. https://developer.mozilla.org/en/RDF_in_ Fifty_Words_or_Less - Waterson