Towards Fine-Grained Access Control on Browser Extensions

Wang, Lei; Xiang, Ji; Jing, Jiwu; Zhang, Lingchen

doi:10.1007/978-3-642-29101-2_11

Lei Wang¹⁹,
Ji Xiang¹⁹,
Jiwu Jing¹⁹ &
…
Lingchen Zhang¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7232))

Included in the following conference series:

International Conference on Information Security Practice and Experience

862 Accesses
7 Citations

Abstract

We propose a practical and fine-grained browser extension access control framework, which regulates the misbehavior of JSEs with malicious intent at run time by means of restricting the access to resources, in order to prevent the malicious JSEs from ruining users security. The resource access of a JSE, which constrains its behavior, is the basis of the functionalities of it. Instead of the conventional static access control rules, we formulate the fine-grained access control policies dynamically in the framework while JSEs are executing within Firefox, which makes our framework more flexible and practical in real-world use. We tested 100 popular JSEs on AMO to evaluate the compatibility of our framework, and found that only two of them are not compatible due to their sensitive behavior. To evaluate the capability of restraining the misbehavior of JSEs, we tested ten malicious ones and the results show that all of them are blocked by our framework before they actually misbehave.

This work was supported by National Natural Science Foundation of China (Grant No. 70890084/G021102, 61003274 and 61003273) and Knowledge Innovation Program of Chinese Academy of Sciences (Grant No. YYYJ-1013).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

SOP: The Same-Origin Policy (August 2001), http://www.mozilla.org/projects/security/components/same-origin.html
Amo: Addons.mozilla.org, https://addons.mozilla.org
Djeric, V., Goel, A.: Securing script-based extensibility in web browsers. In: USENIX Security (2010)
Google Scholar
Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)
Google Scholar
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)
Chapter Google Scholar
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. Journal in Computer Virology 4(3), 179–195 (2008)
Article Google Scholar
Barth, A., Felt, A., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proceedings of the 17th Network and Distributed System Security Symposium (NDSS), San Diego, CA, Citeseer (2010)
Google Scholar
Review process of mozilla, https://addons.mozilla.org/en-US/developers/docs/policies/reviews
Add-on reviews, https://wiki.mozilla.org/AMO:Editors/EditorGuide/AddonReviews
Ffsniff: Firefox sniffer (June 2008), http://azurit.elbiahosting.sk/ffsniff
Building an firefox extension, https://developer.mozilla.org/en/Building_an_Extension
Mozilla xpconnect, https://developer.mozilla.org/en/XPConnect
Mozilla addons blocklist, http://www.mozilla.com/en-US/blocklist/
Sunspider javascript benchmark, http://www.webkit.org/perf/sunspider/sunspider.html
Acid3 benchmark, http://www.webstandards.org/action/acid3/
Kraken benchmark, http://krakenbenchmark.mozilla.org/index.html
Bandhakavi, S., King, S., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX Security (2010)
Google Scholar
Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with vex. Communications of the ACM 54(9), 91–99 (2011)
Article Google Scholar

Download references

Author information

Authors and Affiliations

State Key Lab of Information Security, Graduate University of CAS, China
Lei Wang, Ji Xiang, Jiwu Jing & Lingchen Zhang

Authors

Lei Wang
View author publications
You can also search for this author in PubMed Google Scholar
Ji Xiang
View author publications
You can also search for this author in PubMed Google Scholar
Jiwu Jing
View author publications
You can also search for this author in PubMed Google Scholar
Lingchen Zhang
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

School of Computer Science, University of Birmingham, UK
Mark D. Ryan
Toshiba Corporation, 1, Komukai-Toshiba–Cho, 212-8582, Saiwai-ku, Kawasaki, Japan
Ben Smyth
School of Computer Science & Software Engineering, University of Wollongong, Northfields Avenue, 2522, Wollongong, NSW, Australia
Guilin Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wang, L., Xiang, J., Jing, J., Zhang, L. (2012). Towards Fine-Grained Access Control on Browser Extensions. In: Ryan, M.D., Smyth, B., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2012. Lecture Notes in Computer Science, vol 7232. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29101-2_11

Download citation

DOI: https://doi.org/10.1007/978-3-642-29101-2_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29100-5
Online ISBN: 978-3-642-29101-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics