Protecting Browsers from Extension Vulnerabilities

Browser extensions are remarkably popular, with one in three Firefox users running at least one extension. Although well-intentioned, extension developers are often not security experts and write buggy code that can be exploited by malicious web site operators. In the Firefox extension system, these exploits are dangerous because extensions run with the user’s full privileges and can read and write arbitrary files and launch new processes. In this paper, we analyze 25 popular Firefox extensions and find that 88% of these extensions need less than the full set of available privileges. Additionally, we find that 76% of these extensions use unnecessarily powerful APIs, making it difficult to reduce their privileges. We propose a new browser extension system that improves security by using least privilege, privilege separation, and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability. Our design has been adopted as the Google Chrome extension system.

[1]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[2]  Dawn Xiaodong Song,et al.  Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense , 2009, USENIX Security Symposium.

[3]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[4]  Collin Jackson,et al.  Rootkits for JavaScript Environments , 2009, WOOT.

[5]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[6]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[7]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[8]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.

[9]  Samuel T. King,et al.  How I Learned to Stop Worrying and Love Plugins , 2009 .

[10]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[11]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[12]  V. N. Venkatakrishnan,et al.  Enhancing web browser security against malware extensions , 2007, Journal in Computer Virology.

[13]  C. Jackson Beware of Finer-Grained Origins , 2008 .

[14]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[15]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[16]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[17]  Hao Chen,et al.  OMash: enabling secure web mashups via object abstractions , 2008, CCS.

[18]  A. Barth,et al.  Attacks on JavaScript Mashup Communication , 2009 .

[19]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).