restrictions since even restricted interfaces can still be susceptible to security vulnerabilities.
More recently, researchers have developed static information flow analysis methods for JavaScript.
4, 8 In Chugh
et al.
4 the authors essentially perform a context-insensitive
and flow-insensitive static analysis on the code, and delegate
analysis of dynamic code to runtime checks. Guarnieri and
Livshits8 propose a mostly static enforcement for JavaScript
analysis, which is context-sensitive but flow-insensitive. In
contrast, our analysis is both flow-sensitive and
context-sensitive, thereby reducing the number of false positives.
Several dynamic analysis techniques with static instrumentation have been proposed for JavaScript to check
information-flow properties.
10, 18 SABRE5 is a framework for
dynamically tracking in-browser information flows for analyzing JavaScript-based browser extensions. The taints are
tracked by modifying the JavaScript interpreter. In contrast,
Djeric and Goel6 dynamically track taints in both the browser’s native code and the script interpreter. Although dynamic
techniques are useful in preventing certain types of script
injection attacks if they are enforced by the Web browser,
they suffer from a few drawbacks. When a questionable flow
is detected dynamically, the browser has to either choose an
appropriate action (which might be overly restrictive) or ask
the user to choose an action (which might lead to an attack
if the user chooses a wrong option). Additionally, dynamic
techniques impose a performance and memory overhead on
the browser because of the need to keep track of the security
label for every JavaScript object inside the browser. One of our
main motivations was to facilitate a static analysis that scales
to thousands of extensions, to circumvent these problems.
7. ConCLUsion
We have presented Vex, a tool for detecting potential security vulnerabilities in browser extensions using static analysis. Vex helps in automating the difficult manual process of
analyzing browser extensions, by identifying and reasoning
about subtle and potentially malicious flows. Experiments
on thousands of extensions indicate that Vex is successful
at identifying flows that indicate potential vulnerabilities
and greatly reducing the number of flows that must be vetted manually. Using Vex, we identified seven previously
unknown security vulnerabilities and five known vulnerabilities, together with a variety of instances of unsafe programming practices.
An interesting future direction is to develop automatic ways
to synthesize attacks that exploit flows reported by Vex. A technique based on constraint solving to generate attack inputs that
satisfy the path constraints in the flow seems appropriate.
In the broader context, there is an increasing number of
settings where small software teams (consisting of even one
or two people) write software that is downloaded and used
by hundreds of thousands of people. Browser extensions fall
in this category, but several others have emerged, including
mobile phone applications (for iPhone/Android/Windows)
and Facebook applications. The teams writing these software
do not always think about security carefully, leaving their
users with potential privacy and integrity risks. We believe
that precise static analysis tools, such as the one presented in
this paper, combined with more precise and adaptable access
control policies, can help address this security concern.
acknowledgments
We thank Chris Grier and Mike Perry who directed us to
the Firefox extension vulnerabilities. This research was
funded in part by NSF CAREER award #0747041, NSF
grant CNS #0917229, NSF grant CNS #0831212, grant
N0014-09-1-0743 from the Office of Naval Research, and
AFOSR MURI grant FA9550-09-01-0539.
References
1. antlr Parser generator. http://www.
antlr. org, 2008.
2. bandhakavi, s., King, s.t.,
Madhusudan, P., Winslett, M.
VeX: Vetting browser extensions
for security vulnerabilities.
in Proceedings of the 19th
USENIX Conference on
Security, useniX security ’ 10
(berkeley, Ca, 2010), useniX
association, 339–354.
3. boodman, a. the greasemonkey
Firefox extension. https://addons.
mozilla.org/en-us/ firefox/
addon/748, 2005.
4. Chugh, r., Meister, J.a., Jhala, r.,
lerner, s. staged information flow for
Javascript. in Proceedings of the 2009
ACM SIGPLAN Conference on
Programming Language Design
and Implementation, PlDi ‘09
(new york, ny, 2009), aCM, 50–62.
5. Dhawan, M., ganapathy, V. analyzing
information flow in Javascript-based
browser extensions. in Proceedings of
the 2009 Annual Computer Security
Applications Conference, aCsaC
‘09 (Washington, DC, 2009), ieee
Computer society, 382–391.
6. Djeric, V., goel, a. securing script-based extensibility in web browsers.
in Proceedings of the 19th USENIX
Conference on Security, useniX
security’ 10 (berkeley, Ca, 2010),
useniX association, 355–370.
7. Freeman, n. liverani, r.s. exploiting
cross context scripting vulnerabilities
in Firefox (april 2010). http: //www.
security-assessment.com/files/
whitepapers/exploiting_Cross_
Context_ scripting_vulnerabilities_in_
Firefox.pdf
8. guarnieri, s. livshits, b.
gateKeePer: Mostly static
enforcement of security and
reliability policies for javascript
code. in Proceedings of the 18th
Conference on USENIX Security
Symposium, ssyM ’09 (berkeley,
Ca, 2009), useniX association,
151–168.
9. guha, a., saftoiu, C., Krishnamurthi, s.
the essence of Javascript. in ECOOP,
Lecture Notes in Computer Science.
springer, 2010.
10. Kikuchi, h., yu, D., Chander, a.,
inamura, h., serikov, i. Javascript
instrumentation in practice.
in ramalingam Programming
Languages and Systems, Proceedings
of the 6th Asian Symposium, APLAS
2008 (bangalore, india, December
9–11, 2008), volume 5356 of
Lecture Notes in Computer Science.
springer, 2008, 326–341.
11. liverani, r.s., Freeman, n. abusing Firefox
extensions, Defcon (July 17, 2009).
12. louw, M.t., lim, J.s., Venkatakrishnan,
V.n. extensible web browser security.
in b. M. hämmerli and r. sommer,
eds., DIMVA, volume 4579 of Lecture
Notes in Computer Science, springer,
2007, 1–19.
13. Maffeis, s., Mitchell, J.C., taly,
a. an operational semantics
for Javascript. in ramalingam
Programming Languages and
Systems, Proceedings of the 6th Asian
Symposium, APLAS 2008 (bangalore,
india, December 9–11, 2008), volume
5356 of Lecture Notes in Computer
Science. springer, 2008, 307–325.
14. Maffeis, s. taly, a. language-based
isolation of untrusted Javascript.
in Proceedings of the 2009
22nd IEEE Computer Security
Foundations Symposium (Washington,
DC, 2009), ieee Computer society,
77–91.
15. Maone, g. noscript Firefox
extension. http://noscript.net/
16. ramalingam, g. ed. Programming
Languages and Systems, in
Proceedings of the 6th Asian
Symposium, APLAS 2008
(bangalore, india, December
9–11, 2008), volume 5356 of
Lecture Notes in Computer Science.
springer, 2008.
17. Waterson, C. rDF in fifty words or
less. https://developer.mozilla.org/en/
rDF_in_ Fifty_Words_or_less (June
9, 2008).
18. yu, D., Chander, a., islam,
n., serikov, i. Javascript
instrumentation for browser
security. in Proceedings of the
34th Annual ACM SIGPLAN-SIGACT Symposium on Principles
of Programming Languages, PoPl ‘07,
(new york, ny, 2007), aCM, 237–249.
Sruthi Bandhakavi, ( sbandha2@illinois.edu),
Department of Computer science, university
of illinois at urbana, Champaign.
Samuel T. King, ( kingst@illinois.edu),
Department of Computer science,
university of illinois at urbana, Champaign.
nandit Tiku, P. ( tiku1@illinois.edu),
Department of Computer science,
university of illinois at urbana, Champaign.
P. Madhusudan, ( madhu@illinois.edu),
Department of Computer science,
university of illinois at urbana, Champaign.
Wyatt Pittman, ( wpittma2@illinois.edu),
Department of Computer science,
university of illinois at urbana, Champaign.
Marianne Winslett, ( winslett@illinois.edu),
Department of Computer science, university
of illinois at urbana, Champaign.
© 2011 aCM 0001-0782/11/09 $10.00
