Abstract
Browser extensions provide additional functionality and customization to browsers. To support such functionality, extensions interact with browsers through a set of APIs of different privilege levels. As shown in previous studies, browser extensions are often granted more privileges than necessary. Extensions can directly threaten the host system as well as web applications, or bring in indirect threats to web sessions by injecting contents into web pages. In this paper, we make an empirical study to analyze extension behaviors, especially the behaviors that affect web sessions. We developed a dynamic technique to track the behaviors of injected scripts and analyzed the impact of these scripts. We analyzed the behaviors of 2465 extensions and discussed their security implications. We also proposed a solution to mitigate indirect threats to web sessions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. Journal in Computer Virology 4, 179–195 (2008)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Network and Distributed System Security Symposium (2010)
Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: Proceeding of the Network and Distributed System Security Symposium, NDSS 2012 (2012)
Mozilla. Jetpack, https://wiki.mozilla.org/Jetpack
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: vetting browser extensions for security vulnerabilities. In: Proceedings of the 19th USENIX Conference on Security, Berkeley, CA, USA, p. 22 (2010)
Mozilla add-ons, https://addons.mozilla.org/
Spidermonkey, https://developer.mozilla.org/en/SpiderMonkey
htmlcxx - HTML and CSS APIs for C++, http://htmlcxx.sourceforge.net/
libcurl - the multiprotocol file transfer library, http://curl.haxx.se/libcurl/
Security severity ratings, https://wiki.mozilla.org/Security_Severity_Ratings
Severity guidelines for security issues, http://dev.chromium.org/developers/severity-guidelines
Add-on review guide, https://wiki.mozilla.org/AMO:Editors/EditorGuide/AddonReviews
Martin Jr., D.M., Smith, R.M., Brittain, M., Fetch, I., Wu, H.: The privacy practices of web browser extensions. Communications of the ACM (2001)
Felt, A.P.: A survey of firefox extension API use. Technical report, University of California at Berkeley (2009)
Karim, R., Dhawan, M., Ganapathy, V., Shan, C.-C.: An Analysis of the Mozilla Jetpack Extension Framework. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 333–355. Springer, Heidelberg (2012)
Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: Computer Security Applications Conference, ACSAC (2009)
Djeric, V., Goel, A.: Securing script-based extensibility in web browsers. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security 2010, p. 23. USENIX Association, Berkeley (2010)
Li, Z., Wang, X.-F., Choi, J.Y.: SpyShield: Preserving Privacy from Spy Add-Ons. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 296–316. Springer, Heidelberg (2007)
Guarnieri, S., Livshits, B.: Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In: USENIX Security Symposium (2009)
Selenium web application testing system, http://seleniumhq.org/
Watir automated webbrowsers, http://wtr.rubyforge.org/
Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135–144 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, J. et al. (2012). An Empirical Study of Dangerous Behaviors in Firefox Extensions. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-33383-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33382-8
Online ISBN: 978-3-642-33383-5
eBook Packages: Computer ScienceComputer Science (R0)