Proceedings Article10.1145/2544137.2544149
Security Signature Inference for JavaScript-based Browser Addons
Vineeth Kashyap,Ben Hardekopf +1 more
- 15 Feb 2014
- pp 219-229
TL;DR: A novel notion of addon security signatures is described, which provide detailed information about an addon's information flows and API usage, along with a novel static analysis to automatically infer these signatures from the addon code.
read more
Abstract: JavaScript-based browser addons are a tempting target for malicious developers---addons have high privileges and ready access to a browser user's confidential information, and they have none of the usual sandboxing or other security restrictions used for client-side webpage JavaScript. Therefore, vetting third-party addons is important both for addon users and for the browser providers that host official addon repositories. The current state-of-the-art vetting methodology is manual and ad-hoc, which makes the vetting process difficult, tedious, and error-prone.In this paper, we propose a method to help automate this vetting process. We describe a novel notion of addon security signatures, which provide detailed information about an addon's information flows and API usage, along with a novel static analysis to automatically infer these signatures from the addon code. We implement our analysis and empirically evaluate it on a benchmark suite consisting of ten real browser addons taken from the official Mozilla addon repository. Our results show that our analysis is practical and useful for vetting browser addons.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
JSAI: a static analysis platform for JavaScript
Vineeth Kashyap,Kyle Dewey,Ethan A. Kuefner,John Wagner,Kevin Gibbons,John Sarracino,Ben Wiedermann,Ben Hardekopf +7 more
- 11 Nov 2014
TL;DR: JSAI is described, a formally specified, robust abstract interpreter for JavaScript that uses novel abstract domains to compute a reduced product of type inference, pointer analysis, control-flow analysis, string analysis, and integer and boolean constant propagation.
175
DOMtegrity: ensuring web page integrity against malicious browser extensions.
TL;DR: DOMtegrity is the first solution that protects DOM integrity without modifying the browser architecture or requiring extra hardware and it works by exploiting subtle yet important differences between browser extensions and in-line JavaScript code.
•Posted Content
DOMtegrity: Ensuring Web Page Integrity against Malicious Browser Extensions
TL;DR: In this paper, a cryptographic protocol called DOMtegrity is proposed to ensure the end-to-end integrity of the DOM structure of a web page from delivering at a web server to the rendering of the page in the user's browser.
9
ExtensionGuard: Towards runtime browser extension information leakage detection
Wentao Chang,Songqing Chen +1 more
- 01 Oct 2016
TL;DR: The ExtensionGuard is an optimized and customizable dynamic taint tracking system that can closely track the sensitive information processed by browser extensions, and detect any information leakage events at runtime, and is evaluated against a set of malicious and benign extensions.
9
•Posted Content
JSAI: Designing a Sound, Configurable, and Efficient Static Analyzer for JavaScript.
Vineeth Kashyap,Kyle Dewey,Ethan A. Kuefner,John Wagner,Kevin Gibbons,John Sarracino,Ben Wiedermann,Ben Hardekopf +7 more
TL;DR: JSAI's configurability and its formal specifications position it as a useful research platform to experiment on novel sensitivities, abstract domains, and client analyses for JavaScript, and some surprising results are observed.
References
The program dependence graph and its use in optimization
TL;DR: An intermediate program representation, called the program dependence graph (PDG), that makes explicit both the data and control dependences for each operation in a program, allowing transformations to be triggered by one another and applied only to affected dependences.
Language-based information-flow security
Andrei Sabelfeld,Andrew C. Myers +1 more
TL;DR: A structured view of research on information-flow security is given, particularly focusing on work that uses static program analysis to enforce information- flow policies, and some important open challenges are identified.
The program Dependence Graph and its Use in Optimization
Jeanne Ferrante,Karl J. Ottenstein,Joe D. Warren +2 more
- 17 Apr 1984
TL;DR: An intermediate program representation, called a program dependence graph or PDG, which summarizes not only the data dependences of each operation but also summarizes the control dependence of the operations, which allows transformations such as vectorization to be performed in a manner which is uniform for both data and control dependence.
Type Analysis for JavaScript
Simon Holm Jensen,Anders Møller,Peter Thiemann +2 more
- 12 Aug 2009
TL;DR: A static program analysis infrastructure that can infer detailed and sound type information for JavaScript programs using abstract interpretation is presented, designed to support the full language as defined in the ECMAScript standard, including its peculiar object model and all built-in functions.
A core calculus of dependency
Martín Abadi,Anindya Banerjee,Nevin Heintze,Jon G. Riecke +3 more
- 01 Jan 1999
TL;DR: It is argued that there is a central notion of dependency common to these settings that can be captured within a single calculus, the Dependency Core Calculus (DCC), a small extension of Moggi's computational lambda calculus.