Abstract
Most modern Web browsers export a rich API allowing third-party extensions to access privileged browser objects that can also be misused by attacks directed against vulnerable ones. Web browser vendors have therefore recently developed new extension frameworks aimed at better isolating extensions while still allowing access to privileged browser state. For instance Google Chrome extension architecture and Mozilla’s Jetpack extension framework.
We present Morpheus, a tool to port legacy browser extensions to these new frameworks. Specifically, Morpheus targets legacy extensions for the Mozilla Firefox browser, and ports them to the Jetpack framework. We describe the key techniques used by Morpheus to analyze and transform legacy extensions so that they conform to the constraints imposed by Jetpack and simplify runtime policy enforcement. Finally, we present an experimental evaluation of Morpheus by applying it to port 52 legacy Firefox extensions to the Jetpack framework.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Doctor, J.S.: http://doctorjs.org/
Jetpack, https://wiki.mozilla.org/Jetpack
JSON, http://www.json.org/
node.js, http://nodejs.org/
Opera extensions, http://dev.opera.com/extension-docs/
Safari extensions, https://developer.apple.com/library/safari/documentation/Tools/Conceptual/SafariExtensionGuide/Introduction/Introduction.html
Akahawe, D., Saxena, P., Song, D.: Privilege separation in HTML5 applications. In: USENIX Security Symp. (2012)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. CACM 54(9) (September 2011)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Network and Distributed Systems Security Symp. (2010)
Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: 13th USENIX Security Symp. (2004)
Carlini, N., Felt, A.P., Wagner, D.: An evaluation of the google chrome extension security architecture. In: USENIX Security Symp. (2012)
Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. SIGOPS Oper. Syst. Rev. 41(6) (2007)
Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: Annual Computer Security Applications Conference (2009)
Djeric, V., Goel, A.: Securing script-based extensibility in web browsers. In: USENIX Security Symp. (2010)
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: Proc. of IEEE Symp. on Security and Privacy (May 2011)
Hardy, N.: The confused deputy (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22(4) (October 1988)
Karim, R., Dhawan, M., Ganapathy, V., Shan, C.-c.: An analysis of the Mozilla Jetpack extension framework. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 333–355. Springer, Heidelberg (2012)
Kilpatrick, D.: Privman: A Library for Partitioning Applications. In: USENIX Annual Technical Conference, FREENIX Track (2003)
Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome Extensions: Threat Analysis and Countermeasures. In: Network and Distributed Systems Security Symp. (2012)
Mozilla. Add-on SDK, https://addons.mozilla.org/en-US/developers/docs/sdk/latest/
Mozilla. Narcissus, http://mxr.mozilla.org/mozilla/source/js/narcissus/
Mozilla. Query Interface, https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsISupports#QueryInterface
Mozilla. Spidermonkey, https://developer.mozilla.org/en/SpiderMonkey
Mozilla Developer Network. Electrolysis, https://wiki.mozilla.org/Electrolysis
Mozilla Developer Network. XPCOM, http://developer.mozilla.org/en/XPCOM
Myers, A.C.: Jflow: practical mostly-static information flow control. In: ACM Principles of Programming Languages (1999)
Onarlioglu, K., Battal, M., Robertson, W., Kirda, E.: Securing legacy firefox extensions with SENTINEL. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 122–138. Springer, Heidelberg (2013)
Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: 12th USENIX Security Symp. (2003)
Addon SDK. Content proxy, https://addons.mozilla.org/en-US/developers/docs/sdk/latest/dev-guide/guides/content-scripts/accessing-the-dom.html
Simon Willison. Understanding the Greasemonkey vulnerability, http://simonwillison.net/2005/Jul/20/vulnerability/
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Computer Virology 4 (2008)
Vardoulakis, D., Shivers, O.: CFA2: a context-free approach to control-flow analysis. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 570–589. Springer, Heidelberg (2010)
Zdancewic, S., Zheng, L., Nystrom, N., Myers, A.C.: Secure program partitioning. ACM Trans. Comput. Syst. 20(3) (August 2002)
Zheng, L., Chong, S., Myers, A.C., Zdancewic, S.: Using Replication and Partitioning to Build Secure Distributed Systems. In: IEEE Symp. Security & Privacy (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Karim, R., Dhawan, M., Ganapathy, V. (2014). Retargetting Legacy Browser Extensions to Modern Extension Frameworks. In: Jones, R. (eds) ECOOP 2014 – Object-Oriented Programming. ECOOP 2014. Lecture Notes in Computer Science, vol 8586. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44202-9_19
Download citation
DOI: https://doi.org/10.1007/978-3-662-44202-9_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44201-2
Online ISBN: 978-3-662-44202-9
eBook Packages: Computer ScienceComputer Science (R0)