Proceedings of the 28th European Conference on Object-Oriented Programming (ECOOP 2014). Published as Volume 8586 of Lecture Notes in Computer Science (LNCS), pages 463-488; Uppasala, Sweden; July 28-August 1, 2014.
Most modern Web browsers expose a rich API that allows third-party extensions to access privileged browser objects. However, this API can also be misused by attacks directed against vulnerable extensions. Web browser vendors have therefore recently developed new frameworks aimed at better isolating extensions while still allowing access to privileged browser state. Examples of such frameworks include the Google Chrome extension architecture and the Mozilla Jetpack extension framework.
In this paper, we present Morpheus, a tool to systematically port legacy browser extensions to these new frameworks. Specifically, Morpheus targets legacy extensions for the Mozilla Firefox browser, and ports them to the Jetpack framework. We describe the key techniques used by Morpheus to analyze and transform legacy extensions so that they conform to the constraints imposed by Jetpack and simplify runtime policy enforcement. Finally, we present an experimental evaluation of Morpheus by applying it to port 52 legacy Firefox extensions to the Jetpack framework.
Slides: [ Powerpoint ]
DOI: [ 10.1007/978-3-662-44202-9_19 ]