The World Wide Web has grown tremendously over the last years. To make the rich and dynamic content on the Web accessible to end users, Web browsers have evolved rapidly as well, and new functionalities, often in the form of extensions and plug-ins, are added continuously. As is frequently the case with software, the significant increase in the size and complexity of the code that drives browsers and their extensions has resulted in an increase of program flaws (bugs). Some bugs simply crash the browser. Others, unfortunately, are security vulnerabilities that attackers can use to compromise end users' machines, install malware, and steal sensitive information. Indeed, browser and extension vulnerabilities have become the primary venue through which cyber criminals compromise the security of Web users and, ultimately, earn money.
To prevent attackers from exploiting program flaws, it is critical to identify and fix bugs before the software is deployed. This is particularly important as users are slow in upgrading, even when patches are eventually made available. Expecting developers to write software that is free of any errors is unrealistic. Hence, we need tools that can automatically detect bugs, especially those that can be exploited by attackers.
A tool such as VEX is of particular importance to ensure a secure Web experience.
Static analysis is great because it covers all program paths. However, sound static analysis is also known to raise many false positives (that is, the system claims there is a vulnerability when there is none). VEX strives to strike a balance between trying to cover as many vulnerabilities as possible while making sure that false alarms are minimized. That is, although mistakes are possible, the false positive rates are low. This makes the system useful in practice. After all, for each alert, a human must manually investigate the reported problem.
The authors have demonstrated that VEX works well in practice by running it over 2,460 extensions. The system found a number of security problems, including seven vulnerabilities that were previously unknown. Examples of these bugs, as well as the details of VEX, are detailed in the paper.
©2011 ACM 0001-0782/11/0900 $10.00
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from firstname.lastname@example.org or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2011 ACM, Inc.