CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

The Most Dangerous Code in your Browser

Stefan Heule ; Devon Rifkin ; Deian Stefan ; Alejandro Russo (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers))
15th USENIX Workshop on Hot Topics in Operating Systems (2015)
[Konferensbidrag, refereegranskat]

Browser extensions are ubiquitous. Yet, in today's browsers, extensions are the most dangerous code to user privacy. Extensions are third-party code, like web applications, but run with elevated privileges. Even worse, existing browser extension systems give users a false sense of security by considering extensions to be more trustworthy than web applications. This is because the user typically has to explicitly grant the extension a series of permissions it requests, e.g., to access the current tab or a particular website. Unfortunately, extensions developers do not request minimum privileges and users have become desensitized to install-time warnings. Furthermore, permissions offered by popular browsers are very broad and vague. For example, over 71% of the top-500 Chrome extensions can trivially leak the user's data from any site. In this paper, we argue for new extension system design, based on mandatory access control, that protects the user's privacy from malicious extensions. A system employing this design can enable a range of common extensions to be considered safe, i.e., they do not require user permissions and can be ensured to not leak information, while allowing the user to share information when desired. Importantly, such a design can make permission requests a rarity and thus more meaningful.

Nyckelord: browser security, firefox, chrome, privacy



Den här publikationen ingår i följande styrkeområden:

Läs mer om Chalmers styrkeområden  

Denna post skapades 2015-04-30.
CPL Pubid: 216166