论文信息 - Towards Fine-Grained Access Control on Browser Extensions

Towards Fine-Grained Access Control on Browser Extensions

We propose a practical and fine-grained browser extension access control framework, which regulates the misbehavior of JSEs with malicious intent at run time by means of restricting the access to resources, in order to prevent the malicious JSEs from ruining users security. The resource access of a JSE, which constrains its behavior, is the basis of the functionalities of it. Instead of the conventional static access control rules, we formulate the fine-grained access control policies dynamically in the framework while JSEs are executing within Firefox, which makes our framework more flexible and practical in real-world use. We tested 100 popular JSEs on AMO to evaluate the compatibility of our framework, and found that only two of them are not compatible due to their sensitive behavior. To evaluate the capability of restraining the misbehavior of JSEs, we tested ten malicious ones and the results show that all of them are blocked by our framework before they actually misbehave.

[1] V. N. Venkatakrishnan,et al. Extensible Web Browser Security , 2007, DIMVA.

[2] Ashvin Goel,et al. Securing Script-Based Extensibility in Web Browsers , 2010, USENIX Security Symposium.

[3] V. N. Venkatakrishnan,et al. Enhancing web browser security against malware extensions , 2007, Journal in Computer Virology.

[4] Marianne Winslett,et al. VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[5] Adam Barth,et al. Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[6] Marianne Winslett,et al. Vetting browser extensions for security vulnerabilities with VEX , 2011, CACM.

[7] Vinod Ganapathy,et al. Analyzing Information Flow in JavaScript-Based Browser Extensions , 2009, 2009 Annual Computer Security Applications Conference.

[8] Pavel Laskov,et al. Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.