Abstract
We propose a practical and fine-grained browser extension access control framework, which regulates the misbehavior of JSEs with malicious intent at run time by means of restricting the access to resources, in order to prevent the malicious JSEs from ruining users security. The resource access of a JSE, which constrains its behavior, is the basis of the functionalities of it. Instead of the conventional static access control rules, we formulate the fine-grained access control policies dynamically in the framework while JSEs are executing within Firefox, which makes our framework more flexible and practical in real-world use. We tested 100 popular JSEs on AMO to evaluate the compatibility of our framework, and found that only two of them are not compatible due to their sensitive behavior. To evaluate the capability of restraining the misbehavior of JSEs, we tested ten malicious ones and the results show that all of them are blocked by our framework before they actually misbehave.
This work was supported by National Natural Science Foundation of China (Grant No. 70890084/G021102, 61003274 and 61003273) and Knowledge Innovation Program of Chinese Academy of Sciences (Grant No. YYYJ-1013).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
SOP: The Same-Origin Policy (August 2001), http://www.mozilla.org/projects/security/components/same-origin.html
Amo: Addons.mozilla.org, https://addons.mozilla.org
Djeric, V., Goel, A.: Securing script-based extensibility in web browsers. In: USENIX Security (2010)
Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. Journal in Computer Virology 4(3), 179–195 (2008)
Barth, A., Felt, A., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proceedings of the 17th Network and Distributed System Security Symposium (NDSS), San Diego, CA, Citeseer (2010)
Review process of mozilla, https://addons.mozilla.org/en-US/developers/docs/policies/reviews
Add-on reviews, https://wiki.mozilla.org/AMO:Editors/EditorGuide/AddonReviews
Ffsniff: Firefox sniffer (June 2008), http://azurit.elbiahosting.sk/ffsniff
Building an firefox extension, https://developer.mozilla.org/en/Building_an_Extension
Mozilla xpconnect, https://developer.mozilla.org/en/XPConnect
Mozilla addons blocklist, http://www.mozilla.com/en-US/blocklist/
Sunspider javascript benchmark, http://www.webkit.org/perf/sunspider/sunspider.html
Acid3 benchmark, http://www.webstandards.org/action/acid3/
Kraken benchmark, http://krakenbenchmark.mozilla.org/index.html
Bandhakavi, S., King, S., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX Security (2010)
Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with vex. Communications of the ACM 54(9), 91–99 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, L., Xiang, J., Jing, J., Zhang, L. (2012). Towards Fine-Grained Access Control on Browser Extensions. In: Ryan, M.D., Smyth, B., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2012. Lecture Notes in Computer Science, vol 7232. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29101-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-29101-2_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29100-5
Online ISBN: 978-3-642-29101-2
eBook Packages: Computer ScienceComputer Science (R0)