An empirical study of DLL injection bugs in the Firefox ecosystem

  • Le An
  • Marco Castelluccio
  • Foutse Khomh


DLL injection is a technique used for executing code within the address space of another process by forcing the load of a dynamic-link library. In a software ecosystem, the interactions between the host and third-party software increase the maintenance challenges of the system and may lead to bugs. In this work, we empirically investigate bugs that were caused by third-party DLL injections into the Mozilla Firefox browser. Among the 103 studied DLL injection bugs, we found that 93 bugs (90.3%) led to crashes and 57 bugs (55.3%) were caused by antivirus software. Through a survey with third-party software vendors, we observed that some vendors did not perform any QA with pre-release versions nor intend to use a public API (WebExtensions) but insist on using DLL injection. To reduce DLL injection bugs, host software vendors may strengthen the collaboration with third-party vendors, e.g., build a publicly accessible validation test framework. Host software vendors may also use a whitelist approach to only allow vetted DLLs to inject.


DLL injection Software ecosystem Mining software repositories 



The authors would like to thank the anonymous reviewers for their detailed feedback and useful suggestions that greatly contributed to improving this paper. This work has been partially supported by the Natural Sciences and Engineering Research Council of Canada (NSERC).


  1. Andersson S, Clark A, Mohay G, Schatz B, Zimmermann J (2005) A framework for detecting network-based code injection attacks targeting windows and unix. In: Computer security applications conference, 21st Annual, IEEE, pp 10–ppGoogle Scholar
  2. AppInitDLLs (2018) AppInit_DLLs in Windows 7 and Windows Server 2008 R2., online; Accessed April 12th, 2018
  3. Berdajs J, Bosnic Z (2010) Extending applications using an advanced approach to DLL injection and API hooking. Software: Practice and Experience 40(7):567–584Google Scholar
  4. Bosch J (2009) From software product lines to software ecosystems. In: Proceedings of the 13th international software product line conference, Carnegie Mellon University, pp 111–119Google Scholar
  5. Businge J, van den Brand M (2010) An empirical study of the evolution of eclipse third-party plug-ins. In: Proceedings of the Joint ERCIM Workshop on Software Evolution (EVOL) and International Workshop on Principles of Software Evolution (IWPSE), ACM, pp 63-72Google Scholar
  6. Castelluccio M, An L, Khomh F (2018) An empirical study of patch uplift in rapid release development pipelines. Springer, pp 1–37Google Scholar
  7. Chromium Blog (2017) Reducing Chrome crashes caused by third-party software., online; Accessed August 1st, 2018
  8. CreateRemoteThread (2018) CreateRemoteThread function., online; Accessed April 12th, 2018
  9. Fewer S (2008) Reflective dll injection. Harmony Security, Version 1Google Scholar
  10. German DM, Gonzalez-Barahona JM, Robles G (2007) A model to understand the building and running inter-dependencies of software. In: 14th working conference on reverse engineering, 2007. WCRE 2007. IEEE, pp 140–149Google Scholar
  11. German DM, Adams B, Hassan AE (2013) The evolution of the r software ecosystem. In: 2013 17th European conference on software maintenance and reengineering (CSMR). IEEE, pp 243–252Google Scholar
  12. Gonzalez-Barahona JM, Robles G, Michlmayr M, Amor JJ, German DM (2009) Macro-level software evolution: a case study of a large software compilation. Empir Softw Eng 14(3):262–285CrossRefGoogle Scholar
  13. Hanssen G K (2012) A longitudinal case study of an emerging software ecosystem: implications for practice and theory. J Syst Softw 85(7):1455–1466CrossRefGoogle Scholar
  14. Hollander M, Wolfe DA, Chicken E (2013) Nonparametric statistical methods, 3rd edn. WileyGoogle Scholar
  15. InfoSec Institute (2014) API hooking., online; Accessed April 12th, 2018
  16. Jang M, Kim H, Yun Y (2007) Detection of dll inserted by windows malicious code. In: International conference on convergence information technology, 2007. IEEE, pp 1059-1064Google Scholar
  17. Jansen S, Finkelstein A, Brinkkemper S (2009) A sense of community: a research agenda for software ecosystems. In: 31st international conference on software engineering-companion, vol 2009. ICSE-Companion 2009. IEEE, pp 187–190Google Scholar
  18. Karim R, Dhawan M, Ganapathy V, Shan CC (2012) An analysis of the mozilla jetpack extension framework. In: European conference on object-oriented programming, Springer, pp 333–355Google Scholar
  19. Lam LC, Yu Y, Chiueh TC (2006) Secure mobile code execution service. In: LISA, pp 53–62Google Scholar
  20. Liu L, Zhang X, Yan G, Chen S, et al. (2012) Chrome extensions: threat analysis and countermeasures. In: NDSSGoogle Scholar
  21. LoadLibrary (2018) LoadLibrary function., online; Accessed April 12th, 2018
  22. Mozilla Add-ons Blog (2018a) Advantages of WebExtensions for Developers., online; Accessed April 16th, 2018
  23. Mozilla Add-ons Blog (2018b) Preventing add-ons and third-party software from loading DLLs into Firefox., online; Accessed November 11th, 2018
  24. Mozilla Add-ons Blog (2018c) The future of developing Firefox add-ons., online; Accessed April 16th, 2018
  25. Mozilla Wiki (2017) WebExtensions API., online; Accessed April 12th, 2018
  26. Mozilla Wiki (2018a) Mozilla release management tracking rules., online; Accessed March 28th, 2018
  27. Mozilla Wiki (2018b) Mozilla’s blocklisting policy., online; Accessed April 16th, 2018
  28. SetWindowsHookEx (2018) SetWindowsHookEx function., online; Accessed April 12th, 2018
  29. SetWinEventHook (2018) SetWinEventHook function., online; Accessed April 12th, 2018
  30. Singer J, Sim SE, Lethbridge TC (2008) Software engineering data collection for field studies. In: Guide to advanced empirical software engineering, Springer, pp 9–34Google Scholar
  31. Tu Q et al (2000) Evolution in open source software: a case study. In: 2000 Proceedings of the international conference on software maintenance, IEEE, pp 131-142Google Scholar
  32. Van Den Berk I, Jansen S, Luinenburg L (2010) Software ecosystems: a software ecosystem strategy assessment model. In: Proceedings of the fourth european conference on software architecture: companion volume, ACM, pp 127-134Google Scholar
  33. WebExtensions (2017) Bugzilla@Mozilla., online; Accessed April 12th, 2018
  34. Wermelinger M, Yu Y (2008) Analyzing the evolution of eclipse plugins. In: Proceedings of the 2008 international working conference on Mining software repositories, ACM, pp 133–136Google Scholar
  35. Wikipedia (2018a) Code injection., online; Accessed April 12th, 2018
  36. Wikipedia (2018b) DLL injection., online; Accessed April 12th, 2018
  37. WindowsDataTypes (2018) Windows Data Types., online; Accessed April 12th, 2018

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Polytechnique MontrealMontrealCanada
  2. 2.Mozilla CorporationUnited Kingdom and University of Napoli Federico IINaplesItaly

Personalised recommendations