SENTINEL: Securing Legacy Firefox Extensions

Onarlıoğlu, Kaan; Buyukkayhan, Ahmet Salih; Robertson, William; Kirda, Engin

doi:10.1016/j.cose.2014.12.002

Cited by 16 publications

(13 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, the simplified API of the Jetpack framework is not feature-complete and, therefore, various extensions use a mix of the legacy extension development techniques and Addon SDK to access more powerful XPCOM features where necessary. In fact, a recent study [32] shows that in June 2014, only 10.6% of the top 1,000 Firefox extensions were built using the Add-on SDK. We have also performed a similar preliminary experiment to verify those results.…”

Section: A Firefox Extensionsmentioning

confidence: 99%

“…Onarlioglu et al [31] describe Sentinel, a lightweight XPCOM policy enforcer for JavaScript Firefox extensions. An extended version of this work [32] provides a partial and limited defense against extension-reuse attacks by protecting global variables against tampering; however, reuse of globally-exposed sensitive functions (e.g., attacks those described in Section III-C) remain unaddressed. Ter Louw et al [34], [35] present an extension integrity checker and an XPCOM policy enforcement framework built into Firefox.…”

Section: Related Workmentioning

confidence: 99%

“…Consequently, malicious extensions, or attacks directed at legitimate extensions, pose a significant security risk to users. The research community has recognized this threat, presented studies and tools that analyze the security properties of extensions [3], [4], [7], [8], [13], [16], [37], and proposed various defenses [31], [35], [38].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

Buyukkayhan

Onarlıoğlu

Robertson

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Abstract-Extension architectures of popular web browsers have been carefully studied by the research community; however, the security impact of interactions between different extensions installed on a given system has received comparatively little attention. In this paper, we consider the impact of the lack of isolation between traditional Firefox browser extensions, and identify a novel extension-reuse vulnerability that allows adversaries to launch stealthy attacks against users. This attack leverages capability leaks from legitimate extensions to avoid the inclusion of security-sensitive API calls within the malicious extension itself, rendering extensions that use this technique difficult to detect through the manual vetting process that underpins the security of the Firefox extension ecosystem.We then present CROSSFIRE, a lightweight static analyzer to detect instances of extension-reuse vulnerabilities. CROSSFIRE uses a multi-stage static analysis to efficiently identify potential capability leaks in vulnerable, benign extensions. If a suspected vulnerability is identified, CROSSFIRE then produces a proof-ofconcept exploit instance -or, alternatively, an exploit template that can be adapted to rapidly craft a working attack that validates the vulnerability.To ascertain the prevalence of extension-reuse vulnerabilities, we performed a detailed analysis of the top 10 Firefox extensions, and ran further experiments on a random sample drawn from the top 2,000. The results indicate that popular extensions, downloaded by millions of users, contain numerous exploitable extension-reuse vulnerabilities. A case study also provides anecdotal evidence that malicious extensions exploiting extension-reuse vulnerabilities are indeed effective at cloaking themselves from extension vetters.

show abstract

Section: A Firefox Extensionsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

Buyukkayhan

Onarlıoğlu

Robertson

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…We then used a set of extensions (training samples), which are collected from various extension sources (such as Mozilla Add-ons repository, Bugzilla reports [29], other websites that report malicious extensions and related literature) to train the three models. Vulnerable and malicious extension samples are specifically difficult to find (also noted elsewhere [26,27]). Hence, we defined rules and applied them to generate additional training samples such that the detection would be more accurate and efficient.…”

Section: Introductionmentioning

confidence: 99%

“…Barua et al [26] presented an approach to differentiate between legitimate and malicious JavaScript code supplied through unsanitized user inputs to Firefox extensions using a code randomization and point-to analysis techniques. A recent work that allows Firefox users to specify policies for extensions and offers run time enforcement of those policies is discussed in [27]. A user could specify that extensions are allowed to read from the file system and password manager but not allowed to write to either.…”

Section: Introductionmentioning

confidence: 99%

Effective detection of vulnerable and malicious browser extensions

Shahriar

Weldemariam

Zulkernine

et al. 2014

Computers & Security

View full text Add to dashboard Cite

Unsafely coded browser extensions can compromise the security of a browser, making them attractive targets for attackers as a primary vehicle for conducting cyber-attacks. Among others, the three factors making vulnerable extensions a high-risk security threat for browsers include: i) the wide popularity of browser extensions, ii) the similarity of browser extensions with web applications, and iii) the high privilege of browser extension scripts. Furthermore, mechanisms that specifically target to mitigate browser extension-related attacks have received less attention as opposed to solutions that have been deployed for common web security problems (such as SQL injection, XSS, logic flaws, client-side vulnerabilities, drive-by-download, etc.). To address these challenges, recently some techniques have been proposed to defend extension-related attacks. These techniques mainly focus on information flow analysis to capture suspicious data flows, impose privilege restriction on API calls by malicious extensions, apply digital signatures to monitor process and memory level activities, and allow browser users to specify policies in order to restrict the operations of extensions.This article presents a model-based approach to detect vulnerable and malicious browser extensions by widening and complementing the existing techniques. We observe and utilize various common and distinguishing characteristics of benign, vulnerable, and malicious browser extensions. These characteristics are then used to build our detection models, which are based on the Hidden Markov Model constructs. The models are well trained using a set of features extracted from a number of browser extensions together with user supplied specifications. Along the course of this study, one of the main challenges * Corresponding author.Email address: weldemar@cs.queensu.ca;k.weldemariam@ke.ibm.com (Komminist Weldemariam) Preprint submitted to Computers & Security May 20, 2014 we encountered was the lack of vulnerable and malicious extension samples. To address this issue, based on our previous knowledge on testing web applications and heuristics obtained from available vulnerable and malicious extensions, we have defined rules to generate training samples. The approach is implemented in a prototype tool and evaluated using a number of Mozilla Firefox extensions. Our evaluation indicated that the approach not only detects known vulnerable and malicious extensions, but also identifies previously undetected extensions with a negligible performance overhead.

show abstract

STRIDE Based Analysis of the Chrome Browser Extensions API

Dev

Jevitha

2017

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

SENTINEL: Securing Legacy Firefox Extensions

Cited by 16 publications

References 17 publications

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

Effective detection of vulnerable and malicious browser extensions

STRIDE Based Analysis of the Chrome Browser Extensions API

Contact Info

Product

Resources

About