Sciweavers

USS
2010

VEX: Vetting Browser Extensions for Security Vulnerabilities

13 years 9 months ago
VEX: Vetting Browser Extensions for Security Vulnerabilities
The browser has become the de facto platform for everyday computation. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which does not scale well and is subject to human error. In this paper, we present VEX, a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions. We describe several patterns of flows as well as unsafe programming practices that may lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We analyze thousands of browser extensions, and VEX finds six exploitable vulnerabilities, three of which were previously unknown. VEX also finds hundreds of examples of bad programming ...
Sruthi Bandhakavi, Samuel T. King, P. Madhusudan,
Added 15 Feb 2011
Updated 15 Feb 2011
Type Journal
Year 2010
Where USS
Authors Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett
Comments (0)