Abstract
In this paper we examine security issues of functionality extension mechanisms supported by web browsers. Extensions (or “plug-ins”) in modern web browsers enjoy unrestrained access at all times and thus are attractive vectors for malware. To solidify the claim, we take on the role of malware writers looking to assume control of a user’s browser space. We have taken advantage of the lack of security mechanisms for browser extensions and implemented a malware application for the popular Firefox web browser, which we call browserSpy, that requires no special privileges to be installed. browserSpy takes complete control of the user’s browser space, can observe all activity performed through the browser and is undetectable. We then adopt the role of defenders to discuss defense strategies against such malware. Our primary contribution is a mechanism that uses code integrity checking techniques to control the extension installation and loading process. We describe two implementations of this mechanism: a drop-in solution that employs JavaScript and a faster, in-browser solution that makes uses of the browser’s native cryptography implementation. We also discuss techniques for runtime monitoring of extension behavior to provide a foundation for defending threats posed by installed extensions.
Similar content being viewed by others
References
eTrust~PestPatrol. Pests detected by PestPatrol and classified as browser helper object. http://www.pestpatrol.com/pestinfo%5Cbrowser_helper_object.asp, March 2005
Firefox extension security project website. http://alcazar.sisl.rites.uic.edu/wiki/view/Main/ExtensibleWebBrowserSecurity
Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A secure environment for untrusted helper applications: Confining the wily hacker. In: Sixth USENIX Security Symposium, San Jose, CA, USA (1996)
Hallaraker, O., Vigna, G.: Detecting malicious JavaScript code in Mozilla. In: 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), Shanghai, China (2005)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: 15th USENIX Security Symposium, Vancouver, BC, Canada (2006)
Kirk, J.: Trojan cloaks itself as Firefox extension. Infoworld magazine, July 2006
Lampson B.W. (1973). A note on the confinement problem. Commun. ACM 16(10): 613–615
Li, Z., Wang, X., Choi, J.Y.: SpyShield: Preserving privacy from spy add-ons. In: 10th International Symposium on Recent Advances in Intrusion Detection (RAID), Gold Coast, QLD, Australia (2007)
Information from http://addons.mozilla.org
Mozilla Firefox at Wikipedia http://en.wikipedia.org/wiki/Mozilla_Firefox
Necula, G.C.: Proof-carrying code. In: 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), Paris, France (1997)
Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Seattle, WA, USA (2006)
Sekar, R., Venkatakrishnan, V.N., Basu, S., Bhatkar, S., DuVarney, D.C.: Model carrying code: a practical approach for safe execution of untrusted applications. In: 19th ACM Symposium on Operating Systems Principles (SOSP), Bolton Landing, NY, USA (2003)
Soghoian, C.: A remote vulnerability in Firefox extensions. http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html (2007)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible web browser security. In: 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assesment (DIMVA), Lucerne, Switzerland (2007)
Tsyrklevich, E., Yee, B.: Dynamic detection and prevention of race conditions in file accesses. In: 12th USENIX Security Symposium, Washington, D.C., USA (2003)
Ungar D. and Smith R.B. (1987). Self: The power of simplicity. ACM SIGPLAN Notices 22(12): 227–242
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: 14th Annual Network & Distributed System Security Symposium (NDSS), San Diego, CA, USA (2007)
Wahbe, R., Lucco, S., Anderson, T., Graham, S.: Efficient software-based fault isolation. In: 14th ACM Symposium on Operating System Principles (SOSP), Asheville, NC, USA (1993)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ter Louw, M., Lim, J.S. & Venkatakrishnan, V.N. Enhancing web browser security against malware extensions. J Comput Virol 4, 179–195 (2008). https://doi.org/10.1007/s11416-007-0078-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0078-5