Securing legacy firefox extensions with SENTINEL
Date
2013-07Source Title
10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2013
Publisher
Springer
Pages
122 - 138
Language
English
Type
Conference PaperItem Usage Stats
227
views
views
250
downloads
downloads
Abstract
A poorly designed web browser extension with a security vulnerability may expose the whole system to an attacker. Therefore, attacks directed at "benign-but-buggy" extensions, as well as extensions that have been written with malicious intents pose significant security threats to a system running such components. Recent studies have indeed shown that many Firefox extensions are over-privileged, making them attractive attack targets. Unfortunately, users currently do not have many options when it comes to protecting themselves from extensions that may potentially be malicious. Once installed and executed, the extension needs to be trusted. This paper introduces Sentinel, a policy enforcer for the Firefox browser that gives fine-grained control to the user over the actions of existing JavaScript Firefox extensions. The user is able to define policies (or use predefined ones) and block common attacks such as data exfiltration, remote code execution, saved password theft, and preference modification. Our evaluation of Sentinel shows that our prototype implementation can effectively prevent concrete, real-world Firefox extension attacks without a detrimental impact on users' browsing experience. © 2013 Springer-Verlag.
Keywords
Browser extensionsWeb browser security
Attack target
Data exfiltration
Fine-grained control
Prototype implementations
Security threats
Security vulnerabilities
Web browser security
Computer crime
Web browsers
World Wide Web
Permalink
http://hdl.handle.net/11693/27988Published Version (Please cite this version)
https://doi.org/10.1007/978-3-642-39235-1_7Collections
Related items
Showing items related by title, author, creator and subject.
-
A survey on information security threats and solutions for Machine to Machine (M2M) communications
(Academic Press Inc., 2017)Although Machine to Machine (M2M) networks allow the development of new promising applications, the restricted resources of machines and devices in the M2M networks bring several constraints including energy, bandwidth, ... -
Whose ‘Middle East’? Geopolitical inventions and practices of security
(Sage Publications Ltd., 2004)Contesting those approaches that present the ‘Middle East’ as a region that ‘best fits the realist view of international politics’, this article submits that critical approaches are relevant to this part of the world as ... -
Inference attacks against kin genomic privacy
(Institute of Electrical and Electronics Engineers Inc., 2017)Genomic data poses serious interdependent risks: your data might also leak information about your family members' data. Methods attackers use to infer genomic information, as well as recent proposals for enhancing genomic ...
