Abstract
DLL injection is a technique used for executing code within the address space of another process by forcing the load of a dynamic-link library. In a software ecosystem, the interactions between the host and third-party software increase the maintenance challenges of the system and may lead to bugs. In this work, we empirically investigate bugs that were caused by third-party DLL injections into the Mozilla Firefox browser. Among the 103 studied DLL injection bugs, we found that 93 bugs (90.3%) led to crashes and 57 bugs (55.3%) were caused by antivirus software. Through a survey with third-party software vendors, we observed that some vendors did not perform any QA with pre-release versions nor intend to use a public API (WebExtensions) but insist on using DLL injection. To reduce DLL injection bugs, host software vendors may strengthen the collaboration with third-party vendors, e.g., build a publicly accessible validation test framework. Host software vendors may also use a whitelist approach to only allow vetted DLLs to inject.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Andersson S, Clark A, Mohay G, Schatz B, Zimmermann J (2005) A framework for detecting network-based code injection attacks targeting windows and unix. In: Computer security applications conference, 21st Annual, IEEE, pp 10–pp
AppInitDLLs (2018) AppInit_DLLs in Windows 7 and Windows Server 2008 R2. https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx, online; Accessed April 12th, 2018
Berdajs J, Bosnic Z (2010) Extending applications using an advanced approach to DLL injection and API hooking. Software: Practice and Experience 40(7):567–584
Bosch J (2009) From software product lines to software ecosystems. In: Proceedings of the 13th international software product line conference, Carnegie Mellon University, pp 111–119
Businge J, van den Brand M (2010) An empirical study of the evolution of eclipse third-party plug-ins. In: Proceedings of the Joint ERCIM Workshop on Software Evolution (EVOL) and International Workshop on Principles of Software Evolution (IWPSE), ACM, pp 63-72
Castelluccio M, An L, Khomh F (2018) An empirical study of patch uplift in rapid release development pipelines. Springer, pp 1–37
Chromium Blog (2017) Reducing Chrome crashes caused by third-party software. https://web.archive.org/web/20180728201546/https://blog.chromium.org/2017/11/reducing-chrome-crashes-caused-by-third.html, online; Accessed August 1st, 2018
CreateRemoteThread (2018) CreateRemoteThread function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx, online; Accessed April 12th, 2018
Fewer S (2008) Reflective dll injection. Harmony Security, Version 1
German DM, Gonzalez-Barahona JM, Robles G (2007) A model to understand the building and running inter-dependencies of software. In: 14th working conference on reverse engineering, 2007. WCRE 2007. IEEE, pp 140–149
German DM, Adams B, Hassan AE (2013) The evolution of the r software ecosystem. In: 2013 17th European conference on software maintenance and reengineering (CSMR). IEEE, pp 243–252
Gonzalez-Barahona JM, Robles G, Michlmayr M, Amor JJ, German DM (2009) Macro-level software evolution: a case study of a large software compilation. Empir Softw Eng 14(3):262–285
Hanssen G K (2012) A longitudinal case study of an emerging software ecosystem: implications for practice and theory. J Syst Softw 85(7):1455–1466
Hollander M, Wolfe DA, Chicken E (2013) Nonparametric statistical methods, 3rd edn. Wiley
InfoSec Institute (2014) API hooking. http://resources.infosecinstitute.com/api-hooking, online; Accessed April 12th, 2018
Jang M, Kim H, Yun Y (2007) Detection of dll inserted by windows malicious code. In: International conference on convergence information technology, 2007. IEEE, pp 1059-1064
Jansen S, Finkelstein A, Brinkkemper S (2009) A sense of community: a research agenda for software ecosystems. In: 31st international conference on software engineering-companion, vol 2009. ICSE-Companion 2009. IEEE, pp 187–190
Karim R, Dhawan M, Ganapathy V, Shan CC (2012) An analysis of the mozilla jetpack extension framework. In: European conference on object-oriented programming, Springer, pp 333–355
Lam LC, Yu Y, Chiueh TC (2006) Secure mobile code execution service. In: LISA, pp 53–62
Liu L, Zhang X, Yan G, Chen S, et al. (2012) Chrome extensions: threat analysis and countermeasures. In: NDSS
LoadLibrary (2018) LoadLibrary function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85).aspx, online; Accessed April 12th, 2018
Mozilla Add-ons Blog (2018a) Advantages of WebExtensions for Developers. https://blog.mozilla.org/addons/2016/03/14/webextensons-whats-in-it-for-developers/, online; Accessed April 16th, 2018
Mozilla Add-ons Blog (2018b) Preventing add-ons and third-party software from loading DLLs into Firefox. https://blog.mozilla.org/addons/2017/01/24/preventing-add-ons-third-party-software-from-loading-dlls-into-firefox/, online; Accessed November 11th, 2018
Mozilla Add-ons Blog (2018c) The future of developing Firefox add-ons. https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/, online; Accessed April 16th, 2018
Mozilla Wiki (2017) WebExtensions API. https://wiki.mozilla.org/WebExtensions, online; Accessed April 12th, 2018
Mozilla Wiki (2018a) Mozilla release management tracking rules. https://wiki.mozilla.org/Release_Management/Release_Process, online; Accessed March 28th, 2018
Mozilla Wiki (2018b) Mozilla’s blocklisting policy. https://wiki.mozilla.org/Blocklisting, online; Accessed April 16th, 2018
SetWindowsHookEx (2018) SetWindowsHookEx function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx, online; Accessed April 12th, 2018
SetWinEventHook (2018) SetWinEventHook function. https://msdn.microsoft.com/en-us/library/windows/desktop/dd373640(v=vs.85).aspx, online; Accessed April 12th, 2018
Singer J, Sim SE, Lethbridge TC (2008) Software engineering data collection for field studies. In: Guide to advanced empirical software engineering, Springer, pp 9–34
Tu Q et al (2000) Evolution in open source software: a case study. In: 2000 Proceedings of the international conference on software maintenance, IEEE, pp 131-142
Van Den Berk I, Jansen S, Luinenburg L (2010) Software ecosystems: a software ecosystem strategy assessment model. In: Proceedings of the fourth european conference on software architecture: companion volume, ACM, pp 127-134
WebExtensions (2017) Bugzilla@Mozilla. https://bugzilla.mozilla.org, online; Accessed April 12th, 2018
Wermelinger M, Yu Y (2008) Analyzing the evolution of eclipse plugins. In: Proceedings of the 2008 international working conference on Mining software repositories, ACM, pp 133–136
Wikipedia (2018a) Code injection. https://en.wikipedia.org/wiki/Code_injection, online; Accessed April 12th, 2018
Wikipedia (2018b) DLL injection. https://en.wikipedia.org/wiki/DLL_injection, online; Accessed April 12th, 2018
WindowsDataTypes (2018) Windows Data Types. https://msdn.microsoft.com/en-us/library/windows/desktop/aa383751(v=vs.85).aspx, online; Accessed April 12th, 2018
Acknowledgements
The authors would like to thank the anonymous reviewers for their detailed feedback and useful suggestions that greatly contributed to improving this paper. This work has been partially supported by the Natural Sciences and Engineering Research Council of Canada (NSERC).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by: Martin Monperrus
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Le An and Marco Castelluccio contributed equally to this work.
Rights and permissions
About this article
Cite this article
An, L., Castelluccio, M. & Khomh, F. An empirical study of DLL injection bugs in the Firefox ecosystem. Empir Software Eng 24, 1799–1822 (2019). https://doi.org/10.1007/s10664-018-9677-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10664-018-9677-7