Evaluating the Language-Based Security for Plugin Development

TL;DR

This paper investigates language-based security mechanisms for plugin development, introducing capability-based systems and evaluating their effectiveness in preventing access control vulnerabilities in popular IDEs.

Contribution

It presents a comprehensive analysis of access control vulnerabilities and proposes capability-based security measures, along with empirical evaluation in real development environments.

Findings

Capability-based systems improve plugin security

Test plugins reveal access control vulnerabilities

Recommendations enhance plugin security practices

Abstract

With the increasing popularity of plugin-based software systems, ensuring the security of plugins has become a critical concern. When users install plugins or browse websites with plugins from an untrusted source, how can we be sure that they do have any undesirable functions implicitly? In this research, we present a comprehensive study on language-based security mechanisms for plugin development. We aim to enhance the understanding of access control vulnerabilities in plugins and explore effective security measures by introducing a capability-based system. We also developed and evaluated test plugins to assess the security mechanisms in popular development environments such as IntelliJ IDEA and Visual Studio Code by utilising Java, JavaScript, and associated APIs and frameworks. We also explore the concept of capability-based module systems as an alternative approach to plugin security. A comparative analysis is conducted to evaluate the effectiveness of capability-based systems in addressing access control vulnerabilities identified in earlier sections. Finally, recommendations for improving plugin security practices and tools will be presented, emphasizing the importance of robust security measures in the ever-evolving landscape of software plugins.