Abstract
Chrome browser extensions have become very popular among the users of Google Chrome and hence they are used by attackers to perform malicious activities which lead to loss of user’s sensitive data or damage to the user’s system. In this study, we have done an analysis on the security of the Chrome extension development APIs. We have used the STRIDE approach to identify the possible threats of the Chrome specific APIs which are used for extension development. The analysis results show that 23 out of the 63 Chrome specific APIs are having various threats as per the STRIDE approach. Information disclosure is the threat faced by many APIs followed by tampering. This threat analysis result can be used as reference for a tool which can detect whether the extension is malicious or not by deeply analysing the ways in which the APIs having threats are used in the extension code.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
L. Liu, X. Zhang, G. Yan, S. Chen, Chrome extensions: threat analysis and countermeasures, in NDSS (2012)
Microsoft STRIDE threat model, https://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx
S.F. Burns, Threat modeling: a process to ensure application security, in GIAC Security Essentials Certification (GSEC) Practical Assignment (2005)
N. Carlini, A. Porter Felt, D. Wagner, An evaluation of the google chrome extension security architecture, in Presented as Part of the 21st USENIX Security Symposium (USENIX Security 12), pp. 97–111 (2012)
V. Aravind, M. Sethumadhavan, A framework for analysing the security of chrome extensions. Adv. Comput. Netw. Inf. 2, 267–272 (2014)
J. Arunagiri, S. Rakhi, K.P. Jevitha, A systematic review of security measures for web browser extension vulnerabilities, in Proceedings of the International Conference on Soft Computing Systems (Springer India, 2016)
R. Zhao, C. Yue, Q. Yi, Automatic detection of information leakage vulnerabilities in browser extensions, in Proceedings of the 24th International Conference on World Wide Web (International World Wide Web Conferences Steering Committee, 2015)
A. Kapravelos, et al., Hulk: eliciting malicious behavior in browser extensions, in 23rd USENIX Security Symposium (USENIX Security 14) (2014)
N. Jagpal, et al., Trends and lessons from three years fighting malicious extensions, in 24th USENIX Security Symposium (USENIX Security 15) (2015)
K. Onarlioglu, et al., Sentinel: securing legacy firefox extensions. Comput. Secur. 49, 147–161 (2015)
X. Xing, et al., Understanding malvertising through ad-injecting browser extensions, in Proceedings of the 24th International Conference on World Wide Web (International World Wide Web Conferences Steering Committee, 2015)
Chrome extension developer guide, https://developer.chrome.com/extensions/overview
Chromium blog, http://blog.chromium.org/
Chrome extension specific API index, https://developer.chrome.com/extensions/api_index
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Akshay Dev, P.K., Jevitha, K.P. (2017). STRIDE Based Analysis of the Chrome Browser Extensions API. In: Satapathy, S., Bhateja, V., Udgata, S., Pattnaik, P. (eds) Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications . Advances in Intelligent Systems and Computing, vol 516. Springer, Singapore. https://doi.org/10.1007/978-981-10-3156-4_17
Download citation
DOI: https://doi.org/10.1007/978-981-10-3156-4_17
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-3155-7
Online ISBN: 978-981-10-3156-4
eBook Packages: EngineeringEngineering (R0)