Extensible Web Browser Security

Extensible Web Browser Security is a research paper authored by Mike Ter Louw, Jin Soon Lim, and V.N. Venkatakrishnan exploring threats to and vulnerabilities in web browsers with extensible architecture.

Abstract

In this paper we examine the security issues in functionality extension mechanisms supported by web browsers. Extensions (or “plug-ins”) in modern web browsers enjoy unlimited power without restraint and thus are attractive vectors for malware. To solidify the claim, we take on the role of malware writers looking to assume control of a user’s browser space. We have taken advantage of the lack of security mechanisms for browser extensions and have implemented a piece of malware for the popular Firefox web browser, which we call browserSpy, that requires no special privileges to be installed. Once installed, browserSpy takes complete control of a user’s browser space and can observe all the activity performed through the browser while being undetectable. We then adopt the role of defenders to discuss defense strategies against such malware. Our primary contribution is a mechanism that uses code integrity checking techniques to control the extension installation and loading process. We also discuss techniques for runtime monitoring of extension behavior that provide a foundation for defending threats due to installed extensions.

Paper details

Citation

Mike Ter Louw, Jin Soon Lim, and V. N. Venkatakrishnan. Extensible web browser security. In GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Lucerne, Switzerland, 2007.

BibTeX

BibTeX

 @string{ DIMVA = {GI International Conference on Detection of Intrusions \&
	Malware, and Vulnerability Assesment (DIMVA)}}
@inproceedings{
	TerLouw:Lim:DIMVA07,
	author		= {Ter~Louw, Mike and Jin Soon Lim and V. N. Venkatakrishnan},
	title		= {Extensible Web Browser Security},
	booktitle	= DIMVA,
	year		= {2007},
	address		= {Lucerne, Switzerland}
} 

Conference

DIMVA '07 (acceptance rate: 24.5% (14 out of 57))

Download

PDF

DIMVA 2007 Presentation

Powerpoint

More on the Extensible Web Browser Security project

• Interface elements for the extension integrity assurance solution
• Interface elements for the extension integrity assurance solution (prototype)

Future work

We are currently pursuing efforts to integrate our extension integrity checking prototype into the Firefox browser main source tree.

Related links

Some information related to this research is linked below.

Motivation for improving the security of Firefox's extensible architecture

• The danger of extensions
• The Danger of Mediocrity
• addons.mozilla.org recent and open issues
• Trojan cloaks itself as Firefox extension

Motivation for improving web browser security in general

• Security Remains a Challenge for Browser Developers

Further developments and related research

• A Remote Vulnerability in Firefox Extensions