Open AccessProceedings Article
An evaluation of the Google Chrome extension security architecture
Nicholas Carlini,Adrienne Porter Felt,David Wagner +2 more
- pp 7-7
TLDR
A security review of 100 Chrome extensions finds that banning HTTP scripts and inline scripts would prevent 47 of the 50 most severe vulnerabilities with only modest impact on developers.Abstract:
Vulnerabilities in browser extensions put users at risk by providing a way for website and network attackers to gain access to users' private data and credentials. Extensions can also introduce vulnerabilities into the websites that they modify. In 2009, Google Chrome introduced a new extension platform with several features intended to prevent and mitigate extension vulnerabilities: strong isolation between websites and extensions, privilege separation within an extension, and an extension permission system. We performed a security review of 100 Chrome extensions and found 70 vulnerabilities across 40 extensions. Given these vulnerabilities, we evaluate how well each of the security mechanisms defends against extension vulnerabilities. We find that the mechanisms mostly succeed at preventing direct web attacks on extensions, but new security mechanisms are needed to protect users from network attacks on extensions, website metadata attacks on extensions, and vulnerabilities that extensions add to websites. We propose and evaluate additional defenses, and we conclude that banning HTTP scripts and inline scripts would prevent 47 of the 50 most severe vulnerabilities with only modest impact on developers.read more
Citations
More filters
Proceedings Article
FlowFence: practical data protection for emerging IoT application frameworks
TL;DR: FlowFence is presented, a system that requires consumers of sensitive data to declare their intended data flow patterns, which it enforces with low overhead, while blocking all other undeclared flows.
Proceedings Article
Hulk: eliciting malicious behavior in browser extensions
Alexandros Kapravelos,Chris Grier,Neha Chachra,Christopher Kruegel,Giovanni Vigna,Vern Paxson +5 more
TL;DR: A number of malicious extensions are identified, including one with 5.5 million affected users, stressing the risks that extensions pose for today's web security ecosystem, and the need to further strengthen browser security to protect user data and privacy.
Proceedings ArticleDOI
How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World
Geng Hong,Zhemin Yang,Sen Yang,Lei Zhang,Yuhong Nan,Zhibo Zhang,Min Yang,Yuan Zhang,Zhiyun Qian,Haixin Duan +9 more
TL;DR: CMTracker is built, a behavior-based detector with two runtime profilers for automatically tracking Cryptocurrency Mining scripts and their related domains and gains a more comprehensive picture of the cryptojacking attacks, including their impact, distribution mechanisms, obfuscation, and attempts to evade detection.
Proceedings ArticleDOI
Protecting users by confining JavaScript with COWL
Deian Stefan,Edward Yang,Petr Marchenko,Alejandro Russo,Dave Herman,Brad Karp,David Mazières +6 more
TL;DR: COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backward-compatible with legacy web content and allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple mutually distrusting origins, all while protecting users' privacy.
Proceedings Article
Trends and lessons from three years fighting malicious extensions
Nav Jagpal,Eric Dingle,Jean-Philippe Gravel,Panayiotis Mavrommatis,Niels Provos,Moheeb Abu Rajab,Kurt Thomas +6 more
TL;DR: This work exposes wide-spread efforts by criminals to abuse the Chrome Web Store as a platform for distributing malicious extensions and highlights that the extension abuse ecosystem is drastically different from malicious binaries: miscreants profit from web traffic and user tracking rather than email spam or banking theft.
References
More filters
Journal ArticleDOI
The protection of information in computer systems
TL;DR: In this article, the authors explore the mechanics of protecting computer-stored information from unauthorized use or modification, focusing on those architectural structures-whether hardware or software-that are necessary to support information protection.
Proceedings ArticleDOI
Android permissions demystified
TL;DR: Stowaway, a tool that detects overprivilege in compiled Android applications, is built and finds that about one-third of applications are overprivileged.
Proceedings Article
Preventing privilege escalation
TL;DR: The design and analysis of the "Systrace" facility is presented which supports fine grained process confinement, intrusion detection, auditing and privilege elevation, and it is shown that Systrace is efficient and does not impose significant performance penalties.
Proceedings Article
The effectiveness of application permissions
TL;DR: The results indicate that application permissions can have a positive impact on system security when applications' permission requirements are declared up-front by the developer, but can be improved.
Proceedings ArticleDOI
The eval that men do: A large-scale study of the use of eval in javascript applications
TL;DR: In this paper, the authors present a large-scale study of the use of eval in JavaScript-based web applications, and provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior.