| Browser extensions greatly enrich the functionality of browsers and users can modify their browsers according to their own preference by installing different kinds of extensions. At the same time, there are some security problems in browser extensions. Browser extensions invoke scriptable APIs of browsers to implement their functionality. Because they can call sensitive APIs and access web content, so there may be vulnerable or malicious extensions.In this paper, based on the research of Firefox, a method on how to identify insecure behaviors of browser extensions is proposed. Typically, the identification of insecure extension behaviors is based on knowledge which is got by investigating known malicious or vulnerable extensions. We present an automatic technique that can ease the laborious manual investigating process. Based on the information of browser API invocation, a kind of behavior graph is built. The node contains information such as interface name, method name, parameter type and value. The edges between nodes denote the dependent relationship between API invocations. The dependent relationship contain flow-dependence, anti-dependence and output dependence. We compute the minimal contrast subgraphs between the behavior graph of an insecure extension and behavior graphs of secure extensions based on graph mining algorithm. The results are maximal united and the final subgraph is the specification of insecure extension behaviors.We developed a prototype and downloaded browser extensions from Mozilla official website.There are malicious and benign extensions. After running the identification tool, we get the special behavior of malicious extension. The experimental results show that this kind of technique can effectively find insecure extension behaviors. |
PDF Full Text Request