Chrome Extensions: Threat Analysis and Countermeasures

نویسندگان

  • Lei Liu
  • Xinwen Zhang
  • Guanhua Yan
  • Songqing Chen
چکیده

The widely popular browser extensions now become one of the most commonly used malware attack vectors. The Google Chrome browser, which implements the principles of least privileges and privilege separation by design, offers a strong security mechanism to protect malicious websites from damaging the whole browser system via extensions. In this study, we however reveal that Chrome’s extension security model is not a panacea for all possible attacks with browser extensions. Through a series of practical bot-based attacks that can be performed even under typical settings, we demonstrate that malicious Chrome extensions pose serious threats, including both information dispersion and harvesting, to browsers. We further conduct an in-depth analysis of Chrome’s extension security model, and conclude that its vulnerabilities are rooted from the violation of the principles of least privileges and privilege separation. Following these principles, we propose a set of countermeasures that enforce the policies of microprivilege management and differentiating DOM elements. Using a prototype developed on the latest Chrome browser, we show that they can effectively mitigate the threats posed by malicious Chrome extensions with little effect on normal browsing experience.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions

Browser extensions have been established as a common feature present in modern browsers. However, some extension systems risk exposing APIs which are too permissive and cohesive with the browser’s internal structure, thus leaving a hole for malicious developers to exploit security critical functionality within the browser itself. In this paper, we raise the awareness of the threats caused by br...

متن کامل

Fine-Grained Detection of Privilege Escalation Attacks on Browser Extensions

Even though their architecture relies on robust security principles, it is well-known that poor programming practices may expose browser extensions to serious security flaws, leading to privilege escalations by untrusted web pages or compromised extension components. We propose a formal security analysis of browser extensions in terms of a finegrained characterization of the privileges that an ...

متن کامل

The Making of “The Advanced Persistent Threat You Have: Google Chrome”

Google’s software update system can serve as a model Advanced Persistent Threat (APT). APTs often embed programs in a penetrated system. These programs wake up from time to time, call home, download additional programs and instructions to carry out, and modify systems. Google’s software update performs all these steps too. Furthermore, because the Google Chrome browser is so widely used and upd...

متن کامل

These Browser Extensions Spy on 8 Million Users

This work investigates the upalytics.com library for Chrome and Firefox extensions, which performs real time tracking of users on all sites they visit. The code is bundled with free extensions in the official extension stores, exfiltrating browsing history as a feature. Within the top 7,000 Chrome extensions, the library is used 42 times with over 8 million installations, the most widely used o...

متن کامل

An Evaluation of the Google Chrome Extension Security Architecture

Vulnerabilities in browser extensions put users at risk by providing a way for website and network attackers to gain access to users’ private data and credentials. Extensions can also introduce vulnerabilities into the websites that they modify. In 2009, Google Chrome introduced a new extension platform with several features intended to prevent and mitigate extension vulnerabilities: strong iso...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2012