Abstract
The Jetpack framework is Mozilla’s newly-introduced extension development technology. Motivated primarily by the need to improve how scriptable extensions (also called addons in Firefox parlance) are developed, the Jetpack framework structures addons as a collection of modules. Modules are isolated from each other, and communicate with other modules via cleanly-defined interfaces. Jetpack also recommends that each module satisfy the principle of least authority (POLA). The overall goal of the Jetpack framework is to ensure that the effects of any vulnerabilities are contained within a module. Its modular structure also facilitates code reuse across addons.
In this paper, we study the extent to which the Jetpack framework achieves its goals. Specifically, we use static analysis to study capability leaks in Jetpack modules and addons. We implemented Beacon, a static analysis tool to identify the leaks and used it to analyze 77 core modules from the Jetpack framework and another 359 Jetpack addons. In total, Beacon analyzed over 600 Jetpack modules and detected 12 capability leaks in 4 core modules and another 24 capability leaks in 7 Jetpack addons. Beacon also detected 10 over-privileged core modules. We have shared the details with Mozilla who have acknowledged our findings.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Customizable shortcuts, https://addons.mozilla.org/en-US/firefox/addon/customizable-shortcuts/L
Firebug: Web development evolved, http://getfirebug.com
Greasespot: The weblog about Greasemonkey, http://www.greasespot.net
Harmony modules, http://wiki.ecmascript.org/doku.php?id=harmony:modules
Jetpack, https://wiki.mozilla.org/Jetpack
Jetpack addon refactoring oversights, https://github.com/mozilla/addon-sdk/pull/291
Jetpack sdk, https://addons.mozilla.org/en-US/developers/docs/sdk/1.3/
Jetpack security model, http://people.mozilla.com/~bwarner/jetpack/components
node.js, https://nodejs.org
NoScript—JavaScript blocker for a safer Firefox experience, http://noscript.net
Sproutcore, http://sproutcore.com/
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities. In: Usenix Security (2010)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. CACM 54(9) (September 2011)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)
Caballero-Roldn, R., Garc-Ruiz, Y., Senz-Prez, F.: Datalog educational system, http://www.fdi.ucm.es/profesor/fernan/des/
Chugh, R., Meister, J., Jhala, R., Lerner, S.: Staged information flow in JavaScript. In: ACM SIGPLAN PLDI (2009)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. 13, 451–490 (1991)
Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript based browser extensions. In: ACSAC (2009)
Djeric, V., Goel, A.: Securing script-based extensibility inweb browsers. In: Usenix Security (2010)
Guarnieri, S., Livshits, B.: GateKeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In: USENIX Security,
Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable javascript. In: ISSTA (2011)
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE S&P (2011)
Yan, G., Liu, L., Zhang, X., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: NDSS (2012)
Mozilla Developer Network. Xpcom, http://developer.mozilla.org/en/XPCOM
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Taly, A., Erlingsson, U., Miller, M.S., Mitchell, J.C., Nagra, J.: Automated analysis of security-critical javascript apis. In: IEEE S&P (2011)
IBM Watson. Watson libraries for analysis, wala.sourceforge.net/wiki/index.php/Main_Page
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Karim, R., Dhawan, M., Ganapathy, V., Shan, Cc. (2012). An Analysis of the Mozilla Jetpack Extension Framework. In: Noble, J. (eds) ECOOP 2012 – Object-Oriented Programming. ECOOP 2012. Lecture Notes in Computer Science, vol 7313. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31057-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-31057-7_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31056-0
Online ISBN: 978-3-642-31057-7
eBook Packages: Computer ScienceComputer Science (R0)