Retargetting Legacy Browser Extensions To Modern Extension Frameworks

Most modern Web browsers export a rich API allowing third-party extensions to access privileged browser objects that can also be misused by attacks directed against vulnerable ones. Web browser vendors have therefore recently developed new extension frameworks aimed at better isolating extensions while still allowing access to privileged browser state. For instance Google Chrome extension architecture and Mozilla's Jetpack extension framework.We present Morpheus, a tool to port legacy browser extensions to these new frameworks. Specifically, Morpheus targets legacy extensions for the Mozilla Firefox browser, and ports them to the Jetpack framework. We describe the key techniques used by Morpheus to analyze and transform legacy extensions so that they conform to the constraints imposed by Jetpack and simplify runtime policy enforcement. Finally, we present an experimental evaluation of Morpheus by applying it to port 52 legacy Firefox extensions to the Jetpack framework.