An Analysis of the Mozilla Jetpack Extension Framework

  • Rezwana Karim
  • Mohan Dhawan
  • Vinod Ganapathy
  • Chung-chieh Shan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7313)


The Jetpack framework is Mozilla’s newly-introduced extension development technology. Motivated primarily by the need to improve how scriptable extensions (also called addons in Firefox parlance) are developed, the Jetpack framework structures addons as a collection of modules. Modules are isolated from each other, and communicate with other modules via cleanly-defined interfaces. Jetpack also recommends that each module satisfy the principle of least authority (POLA). The overall goal of the Jetpack framework is to ensure that the effects of any vulnerabilities are contained within a module. Its modular structure also facilitates code reuse across addons.

In this paper, we study the extent to which the Jetpack framework achieves its goals. Specifically, we use static analysis to study capability leaks in Jetpack modules and addons. We implemented Beacon, a static analysis tool to identify the leaks and used it to analyze 77 core modules from the Jetpack framework and another 359 Jetpack addons. In total, Beacon analyzed over 600 Jetpack modules and detected 12 capability leaks in 4 core modules and another 24 capability leaks in 7 Jetpack addons. Beacon also detected 10 over-privileged core modules. We have shared the details with Mozilla who have acknowledged our findings.


Core Module Core Analysis Analysis Engine Code Snippet Static Analysis Tool 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Firebug: Web development evolved,
  3. 3.
    Greasespot: The weblog about Greasemonkey,
  4. 4.
  5. 5.
  6. 6.
    Jetpack addon refactoring oversights,
  7. 7.
  8. 8.
  9. 9.
  10. 10.
    NoScript—JavaScript blocker for a safer Firefox experience,
  11. 11.
  12. 12.
  13. 13.
    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities. In: Usenix Security (2010)Google Scholar
  14. 14.
    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. CACM 54(9) (September 2011)Google Scholar
  15. 15.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)Google Scholar
  16. 16.
    Caballero-Roldn, R., Garc-Ruiz, Y., Senz-Prez, F.: Datalog educational system,
  17. 17.
    Chugh, R., Meister, J., Jhala, R., Lerner, S.: Staged information flow in JavaScript. In: ACM SIGPLAN PLDI (2009)Google Scholar
  18. 18.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. 13, 451–490 (1991)CrossRefGoogle Scholar
  19. 19.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript based browser extensions. In: ACSAC (2009)Google Scholar
  20. 20.
    Djeric, V., Goel, A.: Securing script-based extensibility inweb browsers. In: Usenix Security (2010)Google Scholar
  21. 21.
    Guarnieri, S., Livshits, B.: GateKeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In: USENIX Security,Google Scholar
  22. 22.
    Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable javascript. In: ISSTA (2011)Google Scholar
  23. 23.
    Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE S&P (2011)Google Scholar
  24. 24.
    Yan, G., Liu, L., Zhang, X., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: NDSS (2012)Google Scholar
  25. 25.
    Mozilla Developer Network. Xpcom,
  26. 26.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  27. 27.
    Taly, A., Erlingsson, U., Miller, M.S., Mitchell, J.C., Nagra, J.: Automated analysis of security-critical javascript apis. In: IEEE S&P (2011)Google Scholar
  28. 28.
    IBM Watson. Watson libraries for analysis,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Rezwana Karim
    • 1
  • Mohan Dhawan
    • 1
  • Vinod Ganapathy
    • 1
  • Chung-chieh Shan
    • 2
  1. 1.Rutgers UniversityUSA
  2. 2.University of TsukubaJapan

Personalised recommendations