Retargetting Legacy Browser Extensions to Modern Extension Frameworks
نویسندگان
چکیده
Most modern Web browsers export a rich API allowing third-party extensions to access privileged browser objects that can also be misused by attacks directed against vulnerable ones. Web browser vendors have therefore recently developed new extension frameworks aimed at better isolating extensions while still allowing access to privileged browser state. For instance Google Chrome extension architecture and Mozilla’s Jetpack extension framework. We present Morpheus, a tool to port legacy browser extensions to these new frameworks. Specifically, Morpheus targets legacy extensions for the Mozilla Firefox browser, and ports them to the Jetpack framework. We describe the key techniques used by Morpheus to analyze and transform legacy extensions so that they conform to the constraints imposed by Jetpack and simplify runtime policy enforcement. Finally, we present an experimental evaluation of Morpheus by applying it to port 52 legacy Firefox extensions to the Jetpack framework.
منابع مشابه
SENTINEL: Securing Legacy Firefox Extensions
A poorly designed web browser extension with a security vulnerability may expose the whole system to an attacker. Therefore, attacks directed at “benignbut-buggy” extensions, as well as extensions that have been written with malicious intent, pose significant security threats to a system running such components. Recent studies have indeed shown that many Firefox extensions are over-privileged, ...
متن کاملTechniques and Tools for Secure Web Browser Extension Development
OF THE DISSERTATION TECHNIQUES AND TOOLS FOR SECURE WEB BROWSER EXTENSION DEVELOPMENT by REZWANA KARIM Dissertation Director: Vinod Ganapathy Many modern application platforms support an extensible architecture that allows the application core to be extended with functionality developed by third-parties. This bootstraps a developer community that works together to enhance and customize the basi...
متن کاملSecuring Legacy Firefox Extensions with SENTINEL
A poorly designed web browser extension with a security vulnerability may expose the whole system to an attacker. Therefore, attacks directed at “benign-but-buggy” extensions, as well as extensions that have been written with malicious intents pose significant security threats to a system running such components. Recent studies have indeed shown that many Firefox extensions are over-privileged,...
متن کاملA Survey of Firefox Extension API Use
Mozilla Firefox provides third-party developers with a framework for writing extensions to add functionality to the browser. Extensions have unfettered access to browser privileges: extensions can snoop on web content, delete files from the hard drive, and even launch new processes from arbitrary binaries. Extensions might be intentionally malicious (i.e., a user unknowingly installs browser ma...
متن کاملBotnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions
Browser extensions have been established as a common feature present in modern browsers. However, some extension systems risk exposing APIs which are too permissive and cohesive with the browser’s internal structure, thus leaving a hole for malicious developers to exploit security critical functionality within the browser itself. In this paper, we raise the awareness of the threats caused by br...
متن کامل