After you, please: browser extensions order attacks and countermeasures
作者: Pablo Picazo-Sanchez , Juan Tapiador , Gerardo Schneider
DOI: 10.1007/S10207-019-00481-8
关键词:
摘要: Browser extensions are small applications executed in the browser context that provide additional capabilities and enrich user experience while surfing web. The acceptance of current browsers is unquestionable. For instance, Chrome's official extension repository has more than 63,000 extensions, with some them having 10M users. When installed, pushed into an internal queue within browser. order which each executes depends on a number factors, including their relative installation times. In this paper, we demonstrate how can be exploited by unprivileged malicious (i.e., one no permissions those already assigned when accessing web content) to get access any private information other have previously introduced. We propose solution does not require modifying core engine, since it implemented as another extension. prove our approach effectively protects against usual attackers installed extension) well strong effects all knowing who did what). also soundness robustness under reasonable assumptions.
springer.com
arxiv.org
chalmers.se
sci-hub.se 参考文章(24)
Bin Zhao, Peng Liu, Behavior Decomposition: Aspect-Level Browser Extension Clustering and Its Security Implications recent advances in intrusion detection. pp. 244- 264 ,(2013) , 10.1007/978-3-642-41284-4_13
Lei Wang, Ji Xiang, Jiwu Jing, Lingchen Zhang, Towards Fine-Grained Access Control on Browser Extensions Information Security Practice and Experience. pp. 158- 169 ,(2012) , 10.1007/978-3-642-29101-2_11
Panayiotis Mavrommatis, Niels Provos, Dean McNamee, Nagendra Modadugu, Ke Wang, The ghost in the browser analysis of web-based malware conference on workshop on hot topics in understanding botnets. pp. 4- 4 ,(2007)
Neha Chachra, Vern Paxson, Christopher Kruegel, Chris Grier, Alexandros Kapravelos, Giovanni Vigna, Hulk: eliciting malicious behavior in browser extensions usenix security symposium. pp. 641- 654 ,(2014)
Rui Zhao, Chuan Yue, Qing Yi, Automatic Detection of Information Leakage Vulnerabilities in Browser Extensions the web conference. pp. 1384- 1394 ,(2015) , 10.1145/2736277.2741134
Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, Marianne Winslett, Vetting browser extensions for security vulnerabilities with VEX Communications of the ACM. ,vol. 54, pp. 91- 99 ,(2011) , 10.1145/1995376.1995398
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, Yuan Tian, Run-time Monitoring and Formal Analysis of Information Flows in Chromium network and distributed system security symposium. ,(2015) , 10.14722/NDSS.2015.23295
Kaan Onarlioglu, Ahmet Salih Buyukkayhan, William Robertson, Engin Kirda, SENTINEL: Securing Legacy Firefox Extensions Computers & Security. ,vol. 49, pp. 147- 161 ,(2015) , 10.1016/J.COSE.2014.12.002
Hossain Shahriar, Komminist Weldemariam, Mohammad Zulkernine, Thibaud Lutellier, Effective detection of vulnerable and malicious browser extensions Computers & Security. ,vol. 47, pp. 66- 84 ,(2014) , 10.1016/J.COSE.2014.06.005
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Yuan Tian, Analyzing the dangers posed by Chrome extensions. communications and networking symposium. pp. 184- 192 ,(2014) , 10.1109/CNS.2014.6997485