CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation

  1. Home
  2. search page
  3. paper

CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation

연구 분야: Strategies

논문 키워드: #developers #web #browser #javascript #browsers

학회: CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

초록

Extensions complement web browsers with additional functionalities and also bring new vulnerability venues, allowing privilege escalations from adversarial web pages to use extension APIs. Prior works on extension vulnerability detection adopt classic static analysis, which is unable to handle dynamic JavaScript features such as those function calls as part of array lookups. At the same time, prior abstract interpretation focuses on lightweight server-side JavaScript, which often cannot scale to client-side extension code due to object explosions in the abstract domain. In this paper, we design, implement and evaluate a novel, coverage-driven, concurrent abstract interpretation framework, called CoCo, to efficiently detect vulnerabilities in browser extensions. On one hand, CoCo parallelizes abstract interpretation with concurrent taint propagation for each branching statement, message passing and content/background scripts to detect vulnerabilities with improved scalability. On the other hand, CoCo prioritizes analysis that increases code coverage, thus further detecting more vulnerabilities. Our evaluation shows that CoCo detects at least 43 zero-day, exploitable, manually-verified extension vulnerabilities that cannot be detected by state-of-the-art works. We responsibly disclosed all the zero-day vulnerabilities to extension developers.

Author Profile
Jianjia Yu

Johns Hopkins University Baltimore MD USA

Moldova
Author Profile
Song Li

Zhejiang University Hangzhou China

China
Author Profile
Junmin Zhu

Shanghai Jiao Tong University Shanghai China

China

📄 논문 정보

발행 연도 2023년
인용수 5
출판 국가 Moldova, China
사이트 ACM
좋아요 수 0

연관 논문 목록 (87건)

Analyzing and detecting four types of critical security vulnerabilities in move smart contracts
저자: Weijie Zhang , Ting Chen , Teng Li , Ze Wang , Zhichao Zhu , Hangbin Shen
키워드: #security #developers #mitigating #attackers #blog
파트: Strategies | 연도: 2025
Tracking GPTs Third Party Service: Automation, Analysis, and Insights
저자: Chuan Yan , Liuhuo Wan , Bowei Guan , Fengqi Yu , Guangdong Bai
키워드: #researchers #developers #mobile #party #app
파트: Strategies | 연도: 2025
An Extensive Empirical Study of Nondeterministic Behavior in Static Analysis Tools
저자: Miao Miao , Austin Mordahl , Dakota Soles , Alice Beideck , Shiyi Wei
키워드: #research #developers #software #tools #qualitative
파트: Strategies | 연도: 2025
Comprehensive Approach to Android Penetration Testing: Techniques, Tools and Best Practices for Securing Mobile Applications
저자: Nizam Chavan , Harsh Patel , Kaushal Shah
키워드: #technology #developers #mobile #workflow #android
파트: Strategies | 연도: 2025
SCAnME - scanner comparative analysis and metrics for evaluation
저자: Jakub Koman , Marek Janiszewski
키워드: #research #security #developers #scanners #cyber
파트: Strategies | 연도: 2025
CodingCare: AI Code Generation Security Framework for Common Vulnerability Mitigation
저자: Zhiguo Ding , Songyang Wu , Yilin Zhang , Tao Yang , Yingna Li , Zhuhua Li , Hang Shao , Yicong Shi
키워드: #developers #software #databases #sql #workflows
파트: Strategies | 연도: 2025
SSRFSeek: An LLM-based Static Analysis Framework for Detecting SSRF Vulnerabilities in PHP Applications
저자: Yuan Zhou , Enze Wang , Shuoyoucheng Ma
키워드: #vulnerabilities #web #forgery #taint #shortcomings
파트: Strategies | 연도: 2025
Honeypot-Based Data Collection for Dark Web Investigations Using the Tor Network
저자: Krishan Pal Singh , Emmanuel Pilli , Vijay Laxmi
키워드: #cyber #web #crime #website #criminals
파트: Strategies | 연도: 2025
Enhancing Web Application Security Using Penetration Testing and Vulnerability Scanning
저자: Siddarth Gupta , M Rohini , M Manasa , S Teja , R Sahana Lokesh
키워드: #cyber #web #industries #ddos #ecommerce
파트: Strategies | 연도: 2025
Parf: An Adaptive Abstraction-Strategy Tuner for Static Analysis
저자: Zhong-Yi Wang (王钟逸) , Ming-Shuai Chen (陈明帅) , Teng-Jie Lin (林滕劼) , Lin-Yu Yang (杨麟禹) , Jun-Hao Zhuo (卓俊豪) , Qiu-Ye Wang (王秋野) , Sheng-Chao Qin (秦胜潮) , Xiao Yi (伊 晓) , Jian-Wei Yin (尹建伟)
키워드: #automated #web #toolkit #refinement #interface
파트: Strategies | 연도: 2025