Abstract
Extensions are used by many Chrome browser users to enhance browser functions and users’ online experience. These extensions run with special permissions, they can read and modify the element of DOM (Document Object Model) in users’ web pages. But, excessive permissions and operation behaviors have brought users heavy risks such as the privacy leakage caused by extensions. Dynamic taint analysis techniques are often exploited to discover the privacy leakage, it monitors code execution by modifying the JavaScript interpreter or rewriting the JavaScript source code. However, interpreter-level taint technique needs to overcome the complexity of the interpreter, and there are also many difficulties in designing taint propagation rules for bytecode. And source-level taint technique is undertainted like Jalangi2, which will trigger some exceptions in practice.
To this end, we design JalangiEX based on Jalangi2. JalangiEX fixes problems in Jalangi2 and strips its redundant codes. Besides, JalangiEX also monitors two types of initialization actions and provides taint propagation support for message passing between different pages, which further solves the undertaint problem of Jalangi2. Moreover we implement JTaint, a dynamic taint analysis system that uses JalangiEX to rewrite the extension and monitors the process of taint propagation to discover potential privacy leaks in Chrome extensions. Finally, we use JTaint to analyze 20,000 extensions from Chrome Web Store and observe the data flow of extensions on a special honey page. Fifty-seven malicious extensions are recognized to leak sensitive-privacy information and are still active in the Chrome Web Store.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Malicious Chrome Extensions Enable Criminals to Impact Half a Million Users and Global Businesses. https://atr-blog.gigamon.com/2018/01/18/malicious-chrome-extensions-enable-criminals-to-impact-half-a-million-users-and-global-businesses. Accessed 20 Feb 2020
DataSpii: The catastrophic data leak via browser extensions. https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
Aravind, V., Sethumadhavan, M.: A framework for analysing the security of chrome extensions. Adv. Comput. Netw. Inf. 2, 267–272 (2014)
Akshay Dev, P.K., Jevitha, K.P.: STRIDE based analysis of the chrome browser extensions API. In: Satapathy, S.C., Bhateja, V., Udgata, S.K., Pattnaik, P.K. (eds.) Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications. AISC, vol. 516, pp. 169–178. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-3156-4_17
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 2011 IEEE Symposium on Security and Privacy, pp. 115–130. IEEE (2011)
Calzavara, S., Bugliesi, M., Crafa, S., Steffinlongo, E.: Fine-grained detection of privilege escalation attacks on browser extensions. In: Vitek, J. (ed.) ESOP 2015. LNCS, vol. 9032, pp. 510–534. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46669-8_21
Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: The World Wide Web Conference, pp. 3244–3250 (2019)
Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 26th International Conference on World Wide Web, pp. 1481–1490. ACM (2017)
Weissbacher, M., Mariconti, E., Suarez-Tangil, G., Stringhini, G., Robertson, W., Kirda, E.: Ex-ray: detection of history-leaking browser extensions. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 590–602. ACM, New York (2017)
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 641–654. USENIX Association, USA (2014)
Jagpal, N., et al.: Trends and lessons from three years fighting malicious extensions. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 579–593. USENIX Association, USA (2015)
Zhao, Y., et al.: Large-scale detection of privacy leaks for BAT browsers extensions in China. In: 2019 International Symposium on Theoretical Aspects of Software Engineering (TASE), pp. 57–64. IEEE (2019)
Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 47–61. IEEE (2018)
Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)
Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: NDSS, February 2015
Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1687–1700. ACM (2018)
Chang, W., Chen, S.: ExtensionGuard: towards runtime browser extension information leakage detection. In: 2016 IEEE Conference on Communications and Network Security (CNS), pp. 154–162. IEEE (2016)
Chang, W., Chen, S.: Defeat information leakage from browser extensions via data obfuscation. In: Qing, S., Zhou, J., Liu, D. (eds.) ICICS 2013. LNCS, vol. 8233, pp. 33–48. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02726-5_3
Sen, K., Kalasapur, S., Brutch, T., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 488–498 (2013)
Extension Overview. https://developer.chrome.com/extensions/overview. Accessed 20 Feb 2020
Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: NDSS (2012)
Somé, D.F.: EmPoWeb: empowering web applications with browser extensions. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 227–245. IEEE, May 2019
Fake Ad Blockers. https://adguard.com/en/blog/fake-ad-blockers-part-2.html
Message Passing. https://developer.chrome.com/extensions/messaging. Accessed 20 Feb 2020
Chrome.storage. https://developer.chrome.com/apps/storage. Accessed 20 Feb 2020
Plagiarism Notice. https://github.com/dmtspoint/OpenGG/blob/master/Hall-of-shame.md. Accessed 20 Feb 2020
Acknowledgments
We sincerely thank ACISP anonymous reviewers for their valuable feedback. This work was supported in part by the National Natural Science Foundation of China(61972297, U1636107).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A
Appendix A
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Xie, M., Fu, J., He, J., Luo, C., Peng, G. (2020). JTaint: Finding Privacy-Leakage in Chrome Extensions. In: Liu, J., Cui, H. (eds) Information Security and Privacy. ACISP 2020. Lecture Notes in Computer Science(), vol 12248. Springer, Cham. https://doi.org/10.1007/978-3-030-55304-3_29
Download citation
DOI: https://doi.org/10.1007/978-3-030-55304-3_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55303-6
Online ISBN: 978-3-030-55304-3
eBook Packages: Computer ScienceComputer Science (R0)