research-article

Automatic Detection of Information Leakage Vulnerabilities in Browser Extensions

Authors:

Qing YiAuthors Info & Claims

WWW '15: Proceedings of the 24th International Conference on World Wide Web

Pages 1384 - 1394

https://doi.org/10.1145/2736277.2741134

Published: 18 May 2015 Publication History

Abstract

A large number of extensions exist in browser vendors' online stores for millions of users to download and use. Many of those extensions process sensitive information from user inputs and webpages; however, it remains a big question whether those extensions may accidentally leak such sensitive information out of the browsers without protection. In this paper, we present a framework, LvDetector, that combines static and dynamic program analysis techniques for automatic detection of information leakage vulnerabilities in legitimate browser extensions. Extension developers can use LvDetector to locate and fix the vulnerabilities in their code; browser vendors can use LvDetector to decide whether the corresponding extensions can be hosted in their online stores; advanced users can also use LvDetector to determine if certain extensions are safe to use. The design of LvDetector is not bound to specific browsers or JavaScript engines, and can adopt other program analysis techniques. We implemented LvDetector and evaluated it on 28 popular Firefox and Google Chrome extensions. LvDetector identified 18 previously unknown information leakage vulnerabilities in 13 extensions with a 87% accuracy rate. The evaluation results and the feedback to our responsible disclosure demonstrate that LvDetector is useful and effective.

References

[1]

S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. Vex: Vetting browser extensions for security vulnerabilities. In Proc. of USENIX Security Symposium, pages 339--354, 2010.

Digital Library

[2]

A. Barth, A. P. Felt, P. Saxena, and A. Boodman. Protecting browsers from extension vulnerabilities. In Proc. of NDSS, 2010.

[3]

N. Carlini, A. P. Felt, and D. Wagner. An evaluation of the google chrome extension security architecture. In Proc. of USENIX Security Symposium, 2012.

Digital Library

[4]

W. Chang and S. Chen. Defeat information leakage from browser extensions via data obfuscation. In Proc. of ICICS, 2013.

Digital Library

[5]

Google Chrome Extensions. https://chrome.google.com/extensions/.

[6]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for javascript. In Proc. of ACM PLDI, pages 50--62. ACM, 2009.

Digital Library

[7]

Closure Compiler. https://developers.google.com/closure/compiler/.

[8]

WALA Compiler. http://wala.sourceforge.net/wiki/index.php.

[9]

C. Curtsinger, B. Livshits, B. G. Zorn, and C. Seifert. Zozzle: Fast and precise in-browser javascript malware detection. In Proc. of USENIX Security Symp., 2011.

Digital Library

[10]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst., 13(4), 10 1991.

Digital Library

[11]

M. Dhawan and V. Ganapathy. Analyzing information flow in javascript-based browser extensions. In Proc. of ACSAC, pages 382--391, 2009.

Digital Library

[12]

V. Djeric and A. Goel. Securing script-based extensibility in web browsers. In Proc. of USENIX Security Symposium, 2010.

Digital Library

[13]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in android applications. In Proc. of CCS, 2013.

Digital Library

[14]

Firefox Extensions. https://addons.mozilla.org/.

[15]

D. Grove, G. DeFouw, J. Dean, and C. Chambers. Call graph construction in object-oriented languages. In Proc. of ACM OOPSLA, pages 108--124, 1997.

Digital Library

[16]

S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proc. of USENIX Security Symposium, pages 151--168, 2009.

Digital Library

[17]

S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the world wide web from vulnerable javascript. In Proc. of ISSTA, 2011.

Digital Library

[18]

A. Guha, M. Fredrikson, B. Livshits, and N. Swamy. Verified security for browser extensions. In Proc. of IEEE S&P Symposium, pages 115--130, 2011.

Digital Library

[19]

D. Hedin and A. Sabelfeld. Information-flow security for a core of javascript. In Proc. of IEEE CSF, 2012.

Digital Library

[20]

D. Jang, R. Jhala, S. Lerner, and H. Shacham. An empirical study of privacy-violating information flows in javascript web applications. In Proc. of CCS, 2010.

Digital Library

[21]

S. Just, A. Cleary, B. Shirley, and C. Hammer. Information flow analysis for javascript. In Proc. of ACM PLASTIC Workshop, pages 9--18, 2011.

Digital Library

[22]

V. Kashyap and B. Hardekopf. Security signature inference for javascript-based browser addons. In Proc. of IEEE/ACM CGO Symposium, pages 219--229, 2014.

Digital Library

[23]

C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. In Proc. of IEEE S&P Symposium, pages 443--457, 2012.

Digital Library

[24]

L. Liu, X. Zhang, G. Yan, and S. Chen. Chrome extensions: Threat analysis and countermeasures. In Proc. of NDSS, 2012.

[25]

B. Livshits, M. Sridharan, Y. Smaragdakis, O. Lhoták, J. N. Amaral, B.-Y. E. Chang, S. Z. Guyer, U. P. Khedker, A. Møller, and D. Vardoulakis. In defense of soundiness: A manifesto. Commun. ACM, 58(2):44--46, 2015.

Digital Library

[26]

M. Madsen, B. Livshits, and M. Fanning. Practical static analysis of javascript applications in the presence of frameworks and libraries. In Proc. of ESEC/FSE, pages 499--509, 2013.

Digital Library

[27]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proc. of CCS, pages 736--747, 2012.

Digital Library

[28]

G. Richards, C. Hammer, B. Burg, and J. Vitek. The eval that men do - a large-scale study of the use of eval in javascript applications. In Proc. of ECOOP, 2011.

Digital Library

[29]

G. Richards, S. Lebresne, B. Burg, and J. Vitek. An analysis of the dynamic behavior of javascript programs. In Proc. of ACM PLDI, 2010.

Digital Library

[30]

RoboForm. http://www.roboform.com/.

[31]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE JSAC, 21(1), 2003.

Digital Library

[32]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In IEEE S&P Symp., 2010.

Digital Library

[33]

B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. A. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proc. of CCS, 2009.

Digital Library

[34]

A. Taly, U. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated Analysis of Security-Critical JavaScript APIs. In Proc. of IEEE S&P Symp., 2011.

Digital Library

[35]

O. Tripp, P. Ferrara, and M. Pistoia. Hybrid security analysis of web javascript code via dynamic partial evaluation. In Proc. of ISSTA, pages 49--59, 2014.

Digital Library

[36]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proc. of NDSS, 2007.

[37]

S. Wei and B. G. Ryder. Practical blended taint analysis for javascript. In Proc. of ISSTA, 2013.

Digital Library

[38]

W. E. Weihl. Interprocedural data flow analysis in the presence of pointers, procedure variables, and label variables. In Proc. of ACM POPL, 1980.

Digital Library

[39]

M. Weiser. Program slicing. In Proc. of ICSE, 1981.

Digital Library

[40]

Q. Yi, V. Adve, and K. Kennedy. Transforming loops to recursion for multi-level memory hierarchies. In Proc. of ACM PLDI, pages 169--181, 2000.

Digital Library

[41]

C. Yue and H. Wang. A measurement study of insecure javascript practices on the web. ACM Transactions on the Web, 7(2):7:1--7:39, 2013.

Digital Library

Cited By

Nayak AKhandelwal RFernandes EFawaz KChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Experimental Security Analysis of Sensitive Data Access by Browser ExtensionsProceedings of the ACM Web Conference 202410.1145/3589334.3645683(1283-1294)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645683
Xia PGuo YLin ZWu JDuan PHe NWang KLiu TYue YXu GWang H(2024)WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency walletsAutomated Software Engineering10.1007/s10515-024-00430-331:1Online publication date: 31-Mar-2024
https://doi.org/10.1007/s10515-024-00430-3
Kim YLee BCalandrino JTroncoso C(2023)Extending a hand to attackersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620632(7055-7071)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620632
Show More Cited By

Index Terms

Automatic Detection of Information Leakage Vulnerabilities in Browser Extensions
1. Information systems
  1. World Wide Web
    1. Web interfaces
      1. Browsers
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Browser extensions are popular to enhance users' browsing experience. By design, they have access to security- and privacy-critical APIs to perform tasks that web applications cannot traditionally do. Even though web pages and extensions are isolated, ...
Vetting browser extensions for security vulnerabilities with VEX

The browser has become the de facto platform for everyday computation and a popular target for attackers of computer systems. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received ...
Effective detection of vulnerable and malicious browser extensions

Unsafely coded browser extensions can compromise the security of a browser, making them attractive targets for attackers as a primary vehicle for conducting cyber-attacks. Among others, the three factors making vulnerable extensions a high-risk security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '15: Proceedings of the 24th International Conference on World Wide Web

May 2015

1460 pages

ISBN:9781450334693

General Chairs:
Aldo Gangemi
National Research Council, Italy & Paris 13 University-CNRS, France
,
Stefano Leonardi
Sapienza University of Rome, Italy
,
Alessandro Panconesi
Sapienza University of Rome, Italy

Copyright © 2015 Copyright is held by the International World Wide Web Conference Committee (IW3C2).

Sponsors

IW3C2: International World Wide Web Conference Committee

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

International World Wide Web Conferences Steering Committee

Republic and Canton of Geneva, Switzerland

Publication History

Published: 18 May 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

WWW '15

Sponsor:

IW3C2

WWW '15: 24th International World Wide Web Conference

May 18 - 22, 2015

Florence, Italy

Acceptance Rates

WWW '15 Paper Acceptance Rate 131 of 929 submissions, 14%;

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
362
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)1

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nayak AKhandelwal RFernandes EFawaz KChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Experimental Security Analysis of Sensitive Data Access by Browser ExtensionsProceedings of the ACM Web Conference 202410.1145/3589334.3645683(1283-1294)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645683
Xia PGuo YLin ZWu JDuan PHe NWang KLiu TYue YXu GWang H(2024)WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency walletsAutomated Software Engineering10.1007/s10515-024-00430-331:1Online publication date: 31-Mar-2024
https://doi.org/10.1007/s10515-024-00430-3
Kim YLee BCalandrino JTroncoso C(2023)Extending a hand to attackersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620632(7055-7071)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620632
Zhao YYang LLi ZHe LZhang Y(2021)Privacy Model: Detect Privacy Leakage for Chinese Browser ExtensionsIEEE Access10.1109/ACCESS.2021.30638149(44502-44513)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3063814
Zou CXue JRothermel GBae D(2020)Burn after readingProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380439(258-270)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380439
Picazo-Sanchez PSchneider GSabelfeld A(2020)HMAC and “Secure Preferences”: Revisiting Chromium-Based Browsers SecurityCryptology and Network Security10.1007/978-3-030-65411-5_6(107-126)Online publication date: 14-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-65411-5_6
Santos JSejfia ACorrello TGadenkanahalli SMirakhorli MDumas MPfahl DApel SRusso A(2019)Achilles’ heel of plug-and-Play software architectures: a grounded theory based approachProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338969(671-682)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338969
Zhao YHe LLi ZYang LDong HLi CWang Y(2019)Large-scale Detection of Privacy Leaks for BAT Browsers Extensions in China2019 International Symposium on Theoretical Aspects of Software Engineering (TASE)10.1109/TASE.2019.00-19(57-64)Online publication date: Jul-2019
https://doi.org/10.1109/TASE.2019.00-19
Picazo-Sanchez PTapiador JSchneider G(2019)After you, please: browser extensions order attacks and countermeasuresInternational Journal of Information Security10.1007/s10207-019-00481-8Online publication date: 21-Nov-2019
https://doi.org/10.1007/s10207-019-00481-8
Pan JMao X(2017)Detecting DOM-Sourced Cross-Site Scripting in Browser Extensions2017 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME.2017.11(24-34)Online publication date: Sep-2017
https://doi.org/10.1109/ICSME.2017.11
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten