Thumbnail
Access Restriction
Subscribed

Author Bandhakavi, Sruthi ♦ Madhusudan, P. ♦ Winslett, Marianne ♦ Pittman, Wyatt ♦ King, Samuel T. ♦ Tiku, Nandit
Source ACM Digital Library
Content type Text
Publisher Association for Computing Machinery (ACM)
File Format PDF
Language English
Abstract The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which is time consuming and subject to human error. In this paper, we present VEX, a framework for applying static information flow analysis to JavaScript code to identify security vulnerabilities in browser extensions. We describe several patterns of flows that can lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We subject 2460 browser extensions to the analysis, and VEX finds 5 of the 18 previously known vulnerabilities and 7 previously unknown vulnerabilities.
Description Affiliation: University of Illinois at Urbana, Champaign (Bandhakavi, Sruthi; Tiku, Nandit; Pittman, Wyatt; King, Samuel T.; Madhusudan, P.; Winslett, Marianne)
Age Range 18 to 22 years ♦ above 22 year
Educational Use Research
Education Level UG and PG
Learning Resource Type Article
Publisher Date 2005-08-01
Publisher Place New York
Journal Communications of the ACM (CACM)
Volume Number 54
Issue Number 9
Page Count 9
Starting Page 91
Ending Page 99


Open content in new tab

   Open content in new tab
Source: ACM Digital Library