9/16/2011
Written by
University of Illinois computer science researchers outline their framework for vetting browser extensions in the September 2011 issue of Communications of the ACM. The article introduces the VEX framework developed by professors Madhu Parthasrathy, Sam King, and Marianne Winslett, along with PhD student Sruthi Bandhakavi and undergraduate students Nandit Tiku, and Wyatt Pittman. The article builds on the team's previous work in this area, presented during the USENIX Security Symposium in 2010.
"Extentions written with benign intent can have subtle security-related bugs, called vulnerabilities, that expose users to devastating attacks from the Web, often just by viewing a Web page," writes the team. Because extensions often run with full privileges, attackers are able to exploit weaknesses to hijack the browser, steal passwords, or compromise confidential information, without the user knowing their system has been compromised.
VEX applies static information flow analysis to JavaScript code in order to identify security vulnerabilities in browser extensions. The team analyzed 2460 Firefox browser extensions using VEX and uncovered 7 previously unknown vulnerabilities.
Prior to VEX, vetting extensions was a manual and time-consuming task subject to human error. In the article, the team explains that examining an extension to find a vulnerability requires detailed understanding of the code in order to reason about anything beyond the most basic type of information flow.
While developing VEX, the team found that "extension vulnerabilities often translate into explicit information flows from injectable sources to executable sinks." The team identified the key flows of this nature in order to check extensions for the presence of such flows. Their analysis is both path-sensitive and context-sensitive in order to minimize false positive results.
To view the entire article in Communications of the ACM, please visit http://dl.acm.org/citation.cfm?id=1995398.