Cross-Language Dependency Analysis for VS Code Extension Ecosystem

Abstract

Visual Studio Code (VS Code) is currently the most popular integrated development environment (IDE), primarily due to its highly modular architecture facilitated by third-party extensions. These extensions can rely on dependencies spanning multiple programming languages, notably JavaScript and native languages such as C and C++. Such cross-language interactions introduce complexity and potential security vulnerabilities due to differences in memory management, type safety, and crash resilience between languages. While previous research has identified the inherent security risks in cross-language bindings within individual packages in the npm ecosystem, the implications of such vulnerabilities within the VS Code extension ecosystem have yet to be explored. This thesis investigates cross-language dependencies in VS Code extensions, specifically focusing on the interactions between JavaScript and native code. A methodology is presented to systematically discover, construct, and analyse the dependency tree from an extension to native code. The study uncovers patterns, characteristics, and potential security risks associated with native dependencies in VS Code extensions. This research provides insights into the lack of security practices within the VS Code ecosystem by addressing the gap between current knowledge about cross-language vulnerabilities and VS Code extensions. The results show that 455 (14.7%) out of the investigated 3,078 extensions either implemented native code directly or depend on a package including cross-language cooperation. While only two extensions had direct production code in a native language, they amassed 171 potential vulnerabilities. Additionally, 211 extensions depended on 228 dependencies containing native code that amassed 8,732 potential vulnerabilities in total, showing the potential risks of using such packages.