Securing legacy firefox extensions with SENTINEL

View/ Open
Author
Onarlioglu, K.
Battal, M.
Robertson W.
Kirda, E.
Date
2013Journal Title
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
ISSN
3029743
Volume
7967 LNCS
Pages
122 - 138
Language
English
Type
Conference Paper
Metadata
Show full item recordPlease cite this item using this persistent URL
http://hdl.handle.net/11693/27988Abstract
A poorly designed web browser extension with a security vulnerability may expose the whole system to an attacker. Therefore, attacks directed at "benign-but-buggy" extensions, as well as extensions that have been written with malicious intents pose significant security threats to a system running such components. Recent studies have indeed shown that many Firefox extensions are over-privileged, making them attractive attack targets. Unfortunately, users currently do not have many options when it comes to protecting themselves from extensions that may potentially be malicious. Once installed and executed, the extension needs to be trusted. This paper introduces Sentinel, a policy enforcer for the Firefox browser that gives fine-grained control to the user over the actions of existing JavaScript Firefox extensions. The user is able to define policies (or use predefined ones) and block common attacks such as data exfiltration, remote code execution, saved password theft, and preference modification. Our evaluation of Sentinel shows that our prototype implementation can effectively prevent concrete, real-world Firefox extension attacks without a detrimental impact on users' browsing experience. © 2013 Springer-Verlag.
Published as
http://dx.doi.org/10.1007/978-3-642-39235-1_7Collections
- Work in Progress 656
Related items
Showing items related by title, author, creator and subject.
-
Sentinel : a dynamic security policy checker for firefox extensions
Battal, Mustafa (Bilkent University, 2014)A poorly designed web browser extension with a security vulnerability may expose the whole system to an attacker. Therefore, attacks directed at “benign-butbuggy” extensions, as well as extensions that have been written ... -
Query Processing in Context-Oriented Retrieval of Information
Saygin, A.P.; Yavuz, T. (1998)This paper proposes a context-oriented approach towards document retrieval and presents the query processing component of the retrieval process in detail. Our approach differs from the existing ones by its use of word sense ... -
3D thumbnails for mobile media browser interface with autostereoscopic displays
Gundogdu, R.B.; Yigit, Y.; Capin, T. (2009)In this paper, we focus on the problem of how to visualize and browse 3D videos and 3D images in a media browser application, running on a 3D-enabled mobile device with an autostereoscopic display. We propose a 3D thumbnail ...