TY - GEN
T1 - Automatic detection of information leakage vulnerabilities in browser extensions
AU - Zhao, Rui
AU - Yue, Chuan
AU - Yi, Qing
N1 - Funding Information:
NSF grants CNS-1359542 and DGE-1438935.
PY - 2015/5/18
Y1 - 2015/5/18
N2 - A large number of extensions exist in browser vendors' on-line stores for millions of users to download and use. Many of those extensions process sensitive information from user inputs and webpages; however, it remains a big question whether those extensions may accidentally leak such sensi-tive information out of the browsers without protection. In this paper, we present a framework, LvDetector, that com-bines static and dynamic program analysis techniques for automatic detection of information leakage vulnerabilities in legitimate browser extensions. Extension developers can use LvDetector to locate and fix the vulnerabilities in their code; browser vendors can use LvDetector to decide whether the corresponding extensions can be hosted in their online stores; advanced users can also use LvDetector to determine if certain extensions are safe to use. The design of LvDetec-tor is not bound to specific browsers or JavaScript engines, and can adopt other program analysis techniques. We im-plemented LvDetector and evaluated it on 28 popular Fire-fox and Google Chrome extensions. LvDetector identified 18 previously unknown information leakage vulnerabilities in 13 extensions with a 87% accuracy rate. The evalua-tion results and the feedback to our responsible disclosure demonstrate that LvDetector is useful and effective.
AB - A large number of extensions exist in browser vendors' on-line stores for millions of users to download and use. Many of those extensions process sensitive information from user inputs and webpages; however, it remains a big question whether those extensions may accidentally leak such sensi-tive information out of the browsers without protection. In this paper, we present a framework, LvDetector, that com-bines static and dynamic program analysis techniques for automatic detection of information leakage vulnerabilities in legitimate browser extensions. Extension developers can use LvDetector to locate and fix the vulnerabilities in their code; browser vendors can use LvDetector to decide whether the corresponding extensions can be hosted in their online stores; advanced users can also use LvDetector to determine if certain extensions are safe to use. The design of LvDetec-tor is not bound to specific browsers or JavaScript engines, and can adopt other program analysis techniques. We im-plemented LvDetector and evaluated it on 28 popular Fire-fox and Google Chrome extensions. LvDetector identified 18 previously unknown information leakage vulnerabilities in 13 extensions with a 87% accuracy rate. The evalua-tion results and the feedback to our responsible disclosure demonstrate that LvDetector is useful and effective.
KW - JavaScript
KW - Vulnerability analysis
KW - Web browser extension
UR - http://www.scopus.com/inward/record.url?scp=84968876633&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84968876633&partnerID=8YFLogxK
U2 - 10.1145/2736277.2741134
DO - 10.1145/2736277.2741134
M3 - Conference contribution
AN - SCOPUS:84968876633
T3 - WWW 2015 - Proceedings of the 24th International Conference on World Wide Web
SP - 1384
EP - 1394
BT - WWW 2015 - Proceedings of the 24th International Conference on World Wide Web
PB - Association for Computing Machinery, Inc
T2 - 24th International Conference on World Wide Web, WWW 2015
Y2 - 18 May 2015 through 22 May 2015
ER -