A Johns Hopkins team’s paper on zero-day vulnerabilities on web browser extensions won the Distinguished Paper Award at the 2023 Association for Computing Machinery Computer and Communications Security Conference, held in late November in Copenhagen.

Yinzhi Cao.

The ACM Distinguished Paper Award is presented to authors whose work is particularly groundbreaking or innovative in their respective fields. Authors of the winning paper, “CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation,” include study leader Jianjia Yu, a PhD student in computer science; Song Li, a former computer science student, who is now a ZJ-100 Young Professor at Zhejiang University, Junmin Zhu, a student intern from Shanghai Jiao Tong University, and Yinzhi Cao, assistant professor of computer science and technical director of the Johns Hopkins Information Security Institute.

The paper shares findings from research conducted about extensions often downloaded by users to complement web browsers and provide additional functionalities, such as grammatical suggestions or citations for academic papers. While web browser extensions provide many benefits, they also increase the risk of vulnerabilities, providing gateways for escalating security breaches if not adequately protected.  Cao’s team designed, implemented, and evaluated CoCo, a framework to efficiently detect vulnerabilities in browser extensions.

The team found that CoCo detected more than 40 exploitable, manually verified extension vulnerabilities that cannot be detected by other services. Cao explains that CoCo “prioritizes analysis that increases code coverage, further detecting more vulnerabilities.”

“From a technical perspective, CoCo is a leap forward in static abstract interpretation to cover more JavaScript code. From a result perspective, we hope that CoCo will make browser extensions safer to use for ordinary people,” Cao says.