Skip to main content
SpringerLink
Log in

An Analysis of the Mozilla Jetpack Extension Framework

  • Conference paper
ECOOP 2012 – Object-Oriented Programming (ECOOP 2012)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7313))

Included in the following conference series:

Abstract

The Jetpack framework is Mozilla’s newly-introduced extension development technology. Motivated primarily by the need to improve how scriptable extensions (also called addons in Firefox parlance) are developed, the Jetpack framework structures addons as a collection of modules. Modules are isolated from each other, and communicate with other modules via cleanly-defined interfaces. Jetpack also recommends that each module satisfy the principle of least authority (POLA). The overall goal of the Jetpack framework is to ensure that the effects of any vulnerabilities are contained within a module. Its modular structure also facilitates code reuse across addons.

In this paper, we study the extent to which the Jetpack framework achieves its goals. Specifically, we use static analysis to study capability leaks in Jetpack modules and addons. We implemented Beacon, a static analysis tool to identify the leaks and used it to analyze 77 core modules from the Jetpack framework and another 359 Jetpack addons. In total, Beacon analyzed over 600 Jetpack modules and detected 12 capability leaks in 4 core modules and another 24 capability leaks in 7 Jetpack addons. Beacon also detected 10 over-privileged core modules. We have shared the details with Mozilla who have acknowledged our findings.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Customizable shortcuts, https://addons.mozilla.org/en-US/firefox/addon/customizable-shortcuts/L

  2. Firebug: Web development evolved, http://getfirebug.com

  3. Greasespot: The weblog about Greasemonkey, http://www.greasespot.net

  4. Harmony modules, http://wiki.ecmascript.org/doku.php?id=harmony:modules

  5. Jetpack, https://wiki.mozilla.org/Jetpack

  6. Jetpack addon refactoring oversights, https://github.com/mozilla/addon-sdk/pull/291

  7. Jetpack sdk, https://addons.mozilla.org/en-US/developers/docs/sdk/1.3/

  8. Jetpack security model, http://people.mozilla.com/~bwarner/jetpack/components

  9. node.js, https://nodejs.org

  10. NoScript—JavaScript blocker for a safer Firefox experience, http://noscript.net

  11. Sproutcore, http://sproutcore.com/

  12. Xul, https://developer.mozilla.org/En/XUL

  13. Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities. In: Usenix Security (2010)

    Google Scholar 

  14. Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. CACM 54(9) (September 2011)

    Google Scholar 

  15. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)

    Google Scholar 

  16. Caballero-Roldn, R., Garc-Ruiz, Y., Senz-Prez, F.: Datalog educational system, http://www.fdi.ucm.es/profesor/fernan/des/

  17. Chugh, R., Meister, J., Jhala, R., Lerner, S.: Staged information flow in JavaScript. In: ACM SIGPLAN PLDI (2009)

    Google Scholar 

  18. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. 13, 451–490 (1991)

    Article  Google Scholar 

  19. Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript based browser extensions. In: ACSAC (2009)

    Google Scholar 

  20. Djeric, V., Goel, A.: Securing script-based extensibility inweb browsers. In: Usenix Security (2010)

    Google Scholar 

  21. Guarnieri, S., Livshits, B.: GateKeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In: USENIX Security,

    Google Scholar 

  22. Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable javascript. In: ISSTA (2011)

    Google Scholar 

  23. Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE S&P (2011)

    Google Scholar 

  24. Yan, G., Liu, L., Zhang, X., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: NDSS (2012)

    Google Scholar 

  25. Mozilla Developer Network. Xpcom, http://developer.mozilla.org/en/XPCOM

  26. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  27. Taly, A., Erlingsson, U., Miller, M.S., Mitchell, J.C., Nagra, J.: Automated analysis of security-critical javascript apis. In: IEEE S&P (2011)

    Google Scholar 

  28. IBM Watson. Watson libraries for analysis, wala.sourceforge.net/wiki/index.php/Main_Page

Download references

Author information

Authors and Affiliations

  1. Rutgers University, USA

    Rezwana Karim, Mohan Dhawan & Vinod Ganapathy

  2. University of Tsukuba, Japan

    Chung-chieh Shan

Authors
  1. Rezwana Karim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohan Dhawan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vinod Ganapathy
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chung-chieh Shan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Engineering and Computer Science, Victoria University of Wellington, 6140, Wellington, New Zealand

    James Noble

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Karim, R., Dhawan, M., Ganapathy, V., Shan, Cc. (2012). An Analysis of the Mozilla Jetpack Extension Framework. In: Noble, J. (eds) ECOOP 2012 – Object-Oriented Programming. ECOOP 2012. Lecture Notes in Computer Science, vol 7313. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31057-7_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31057-7_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31056-0

  • Online ISBN: 978-3-642-31057-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation