Protecting Browsers from Extension Vulnerabilities
نویسندگان
چکیده
Browser extensions are remarkably popular, with one in three Firefox users running at least one extension. Although well-intentioned, extension developers are often not security experts and write buggy code that can be exploited by malicious web site operators. In the Firefox extension system, these exploits are dangerous because extensions run with the user’s full privileges and can read and write arbitrary files and launch new processes. In this paper, we analyze 25 popular Firefox extensions and find that 88% of these extensions need less than the full set of available privileges. Additionally, we find that 76% of these extensions use unnecessarily powerful APIs, making it difficult to reduce their privileges. We propose a new browser extension system that improves security by using least privilege, privilege separation, and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability. Our design has been adopted as the Google Chrome extension system.
منابع مشابه
Browser security
The past decade has shown that the browser is a vulnerable application. Vulnerabilities are still frequently being discovered for all browsers. Besides this, a typical browser has more than one plug-in installed and through the vulnerabilities associated with plug-ins fully patched browsers are at risk. Even if a browser and its plug-ins are patched and no vulnerabilities are known, the browser...
متن کاملCrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities
Extension architectures of popular web browsers have been carefully studied by the research community; however, the security impact of interactions between different extensions installed on a given system has received comparatively little attention. In this paper, we consider the impact of the lack of isolation between traditional Firefox browser extensions, and identify a novel extension-reuse...
متن کاملVulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security
Porting browsers to mobile platforms may lead to new vulnerabilities whose solutions require careful balancing between usability and security and might not always be equivalent to those in desktop browsers. In this paper, we perform the first large-scale security comparison between mobile and desktop browsers. We focus our efforts on display security given the inherent screen limitations of mob...
متن کاملVulnerabilities in Browsers: Trends in Internet Explorer and Firefox
Since the browsers serve as the gateway to the web, vulnerabilities in browsers can have great impact. Recently there has been considerable debate about the vulnerabilities in the two major browsers Microsoft Internet Explorer and Mozilla Firefox which represent two opposite development paradigms. Here we present a quantitative perspective involving vulnerability detection rates, severity and p...
متن کاملThesis an Analysis of Vulnerabilities in Web Servers and Browser Using Time-base and Effort-based Models
OF THESIS AN ANALYSIS OF VULNERABILITIES IN WEB SERVERS AND BROWSER USING TIME-BASE AND EFFORT-BASED MODELS With the rapid in rease in the number of vulnerabilities dis overed in major software systems, se urity in omputing and internet-based transa tions is greatly threatened. These vulnerabilities an be exploited to damage a omputer system's se urity attributes on dentiality, integrity and av...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2010