VEX: Vetting browser extensions for security vulnerabilities

Proceedings of the 19th USENIX Security Symposium

Volumn , Issue , 2010, Pages 339-354

  Bandhakavi, Sruthi ^a   King, Samuel T ^a   Madhusudan, P ^a   Winslett, Marianne ^a  

^a UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

STATIC ANALYSIS;

CONTEXT SENSITIVE; FLOW SENSITIVE; HIGH-PRECISION; MANUAL INSPECTION; POTENTIAL ATTACK; PROGRAMMING PRACTICES; SECURITY VULNERABILITIES; STATIC INFORMATION;

SECURITY OF DATA;

EID: 85076320754     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (36)

1. ANTLR Parser Generator. http://www.antlr. org.
2. T. Amtoft and A. Banerjee. Information flow analysis in logical form. In R. Giacobazzi, editor, SAS 2004, volume 3148 of LNCS, pages 100–115. Springer-Verlag, 2004.
3. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In IEEE Symposium on Security and Privacy, pages 387–401, 2008.
4. A. Barth, A. P. Felt, P. Saxena, and A. Boodman. Protecting browsers from extension vulnerabilities. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2010.
5. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the 1995 Symposium on Operating Systems Principles, pages 267–283, December 1995.
6. A. Boodman. The Greasemonkey Firefox extension. https://addons.mozilla.org/en-US/firefox/addon/748.
7. R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In M. Hind and A. Diwan, editors, PLDI, pages 50–62. ACM, 2009.
8. CrYpTiC MauleR. Fizzle RSS Feed HTML Injection Vulnerability. http://www.securityfocus.com/bin/23144.
9. M. Dhawan and V. Ganapathy. Analyzing information flow in JavaScript-based browser extensions. In ACSAC’09: Proceedings of the 25th Annual Computer Security Applications Conference, pages 382–391, December 2009.
10. D. R. Engler, M. F. Kaashoek, and J. O’Toole, Jr. Exokernel: an operating system architecture for application-level resource management. In SOSP ’95: Proceedings of the fifteenth ACM symposium on Operating systems principles, pages 251–266, New York, NY, USA, 1995. ACM.
11. Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, pages 75–88. USENIX Association, 2006.
12. N. Freeman and R. S. Liverani. Cross context scripting with Firefox, April 2010. http://www.security-assessment.com/files/whitepapers/ Cross_Context_Scripting_with_Firefox.pdf.
13. N. Freeman and R. S. Liverani. Exploiting cross context scripting vulnerabilities in Firefox, April 2010. http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_ Context_Scripting_vulnerabilities_in_ Firefox.pdf.
14. I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 1996 USENIX Security Symposium, pages 1–13, July 1996.
15. C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.
16. C. Grier, H. J. Wang, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the 2009 Usenix Security Symposium, 2009.
17. S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In Proceedings of USENIX Security’09, pages 151–168, 2009.
18. A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In ECOOP, Lecture Notes in Computer Science. Springer, 2010.
19. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW, pages 40–52, New York, NY, USA, 2004. ACM.
20. IAOSS. NoScript Firefox extension. http://noscript.net/.
21. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceesings of the 2006 IEEE Symposium on Security and Privacy, pages 258–263, 2006.
22. H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov. JavaScript instrumentation in practice. In APLAS’08, pages 326–341, Berlin, Heidelberg, 2008. Springer-Verlag.
23. R. S. Liverani and N. Freeman. Abusing Firefox extensions, Defcon 17, July 2009.
24. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In SSYM’05: Proceedings of the 14th conference on USENIX Security Symposium, pages 18–18, Berkeley, CA, USA, 2005. USENIX Association.
25. M. T. Louw, J. S. Lim, and V. N. Venkatakrishnan. Extensible web browser security. In B. M. Hämmerli and R. Sommer, editors, DIMVA, volume 4579 of Lecture Notes in Computer Science, pages 1–19. Springer, 2007.
26. G. A. D. Lucca, A. R. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross site scripting vulnerabilities in web applications. In WSE’04, pages 71–80, Washington, DC, USA, 2004. IEEE Computer Society.
27. S. Maffeis, J. C. Mitchell, and A. Taly. An operational semantics for JavaScript. In G. Ramalingam, editor, APLAS, volume 5356 of Lecture Notes in Computer Science, pages 307–325. Springer, 2008.
28. S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF’09, IEEE, 2009. See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3, 2009.
29. G. C. Necula. Proof-carrying code. In POPL ’97: Proceedings of the 24th ACM SIGPLANSIGACT symposium on Principles of programming languages, pages 106–119, New York, NY, USA, 1997. ACM.
30. P. Saxena, D. Akhawe, S. Hanna, S. McCamant, F. Mao, and D. Song. A symbolic execution framework for JavaScript. In IEEE Symposium on Security and Privacy, 2010.
31. M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In OSDI, pages 213–227, 1996.
32. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krügel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS. The Internet Society, 2007.
33. C. Waterson. RDF in fifty words or less. https://developer.mozilla.org/en/RDF_in_ Fifty_Words_or_Less.
34. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS’06: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.
35. D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In M. Hofmann and M. Felleisen, editors, POPL, pages 237–249. ACM, 2007.
36. F. Zhou, J. Condit, Z. R. Anderson, I. Bagrak, R. Ennals, M. Harren, G. C. Necula, and E. A. Brewer. SafeDrive: Safe and recoverable extensions using language-based techniques. In 7th Symposium on Operating Systems Design and Implementation (OSDI’06), November 6-8, Seattle, WA, USA, pages 45–60. USENIX Association, 2006.