| The Security issue of browser extension began to receive wide attention since2008. With rising browser use, this issue is becoming a research focus in recent years.At the moment, there is not any methodology or tool protecting users from attacksaimed at browser extensions. The main reason given for this is the unreasonabledesign of extension mechanism.Based on thorough analysis of Firefox’s extension mechanism, which is opensource, we proposed a behavior sequence analysis based methodology forvulnerability detection. By analyzing the interfaces provided to the extensions byFirefox, we first abstracted and classified the extension’s behaviors, and categorizedthem into four security levels according to their potential risks. Then based on theinstrumented Firefox open source browser, we designed and implemented anautomatic test system for browser extension’s behaviors. It can intercept the behaviorsinformation of extensions, then simplify them and model them into directed graph andmakes preparations for the further processing. We tested every10extensions onMozilla in each category. The knowledge database contains4kinds of vulnerabilitiesand7kinds of bad security practices. The accuracy of our method is87.7%and theburden imposed to Firefox is tolerable.This paper automatically tested140browser extensions from Mozilla. There are4kinds of vulneribilities and7kinds of bad security practices in our knowledgedatabase. We conduct a survey on security issues of browser extension system andunreasonable design of extension mechanism. We conclude that there is a serioussecurity issue in browser extension mechanism. |
PDF Full Text Request