Doi: 10.1145/1995376.1995398
Vetting Browser Extensions for
Security Vulnerabilities with VEX
abstract
the browser has become the de facto platform for everyday
computation and a popular target for attackers of computer
systems. among the many potential attacks that target or
exploit browsers, vulnerabilities in browser extensions have
received relatively little attention. Currently, extensions
are vetted by manual inspection, which is time consuming
and subject to human error. in this paper, we present Vex,
a framework for applying static information flow analysis to Javascript code to identify security vulnerabilities in
browser extensions. We describe several patterns of flows
that can lead to privilege escalations in firefox extensions.
Vex analyzes firefox extensions for such flow patterns using
high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and
Vex finds 5 of the 18 previously known vulnerabilities and
7 previously unknown vulnerabilities.
1. intRoDUCtion
Driving the Internet revolution is the modern Web browser,
which has evolved from a relatively simple client application
designed to display static data into a complex networked
operating system tasked with managing many facets of a
user’s online experience. To help meet the varied needs of a
broad user population, browser extensions expand the functionality of browsers by interposing on and interacting with
browser-level events and data. Some extensions are simple
and make only small changes to the appearance of Web
pages or the browser itself. Other extensions provide more
sophisticated functionality, such as NoScript that provides
fine-grained control over page JavaScript execution,
15 or
Grease-monkey that provides a full-blown programming
environment for scripting browser behavior.
3 These are just
a few of the thousands of extensions currently available for
Firefox, the second most popular browser today.
Extensions written with benign intent can have subtle
security-related bugs, called vulnerabilities, that expose
users to devastating attacks from the Web, often just by
viewing a Web page. Firefox extensions run with full browser
privileges, so attackers can exploit extension weaknesses to
take over the browser, steal cookies or protected passwords,
compromise confidential information, or even hijack the
host system, without revealing their actions to the user.
Unfortunately, dozens of extension vulnerabilities have
been discovered in the last few years, and capable attacks
against buggy extensions have already been demonstrated.
11
In this paper, we propose Vex, a system for finding vul-
nerabilities in browser extensions using static information-
flow analysis. Our key insight is that extension vulnerabilities
often translate into explicit information flows from injectable
sources to executable sinks. For extensions written with
benign intent, most attacks involve the attacker injecting
JavaScript into a data item that is subsequently executed
by the extension under full browser privileges. We identify
key flows of this nature that can lead to security vulner-
abilities, and we check extensions for the presence of such
flows using a high-precision static analysis that is both path-
sensitive and context-sensitive, to minimize the number of
false positive suspect flows. Vex has special features to han-
dle the quirks of JavaScript (e.g., Vex does a constant string
analysis for expressions that flow into the eval statement
that execute dynamically generated code).
2. thReat moDeL, assUmPtions, anD UsaGe moDeL
In this article, we focus on finding security vulnerabilities
in buggy browser extensions. We do not try to identify mali-
cious extensions, bugs in the browser itself, or bugs in other
browser extensibility mechanisms, such as plug-ins. We
assume that the developer is neither malicious nor trying to
A previous version of this paper was published in the
USENIX Security Symposium, Aug. 2010.
