The Most Dangerous Code in the Browser

Browser extensions are ubiquitous. Yet, in today's browsers, extensions are the most dangerous code to user privacy. Extensions are third-party code, like web applications, but run with elevated privileges. Even worse, existing browser extension systems give users a false sense of security by considering extensions to be more trustworthy than web applications. This is because the user typically has to explicitly grant the extension a series of permissions it requests, e.g., to access the current tab or a particular website. Unfortunately, extensions developers do not request minimum privileges and users have become desensitized to install-time warnings. Furthermore, permissions offered by popular browsers are very broad and vague. For example, over 71% of the top-500 Chrome extensions can trivially leak the user's data from any site. In this paper, we argue for new extension system design, based on mandatory access control, that protects the user's privacy from malicious extensions. A system employing this design can enable a range of common extensions to be considered safe, i.e., they do not require user permissions and can be ensured to not leak information, while allowing the user to share information when desired. Importantly, such a design can make permission requests a rarity and thus more meaningful.

[1]  Sean W. Smith Humans in the Loop: Human-Computer Interaction and Security , 2003, IEEE Secur. Priv..

[2]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[3]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[4]  Deian Stefan,et al.  Protecting Users by Confining JavaScript with COWL , 2014, OSDI.

[5]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[6]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[7]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[8]  David A. Wagner,et al.  An Evaluation of the Google Chrome Extension Security Architecture , 2012, USENIX Security Symposium.

[9]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[10]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  David A. Wagner,et al.  How to Ask for Permission , 2012, HotSec.

[12]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[13]  Julien Lironcourt Internet Security Seminar Analyzing Information Flow in JavaScript-based Browser Extensions , 2010 .

[14]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[15]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[16]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.