of 35/35
VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN

VEX: Vetting browser extensions for security vulnerabilities

  • View
    35

  • Download
    0

Embed Size (px)

DESCRIPTION

VEX: Vetting browser extensions for security vulnerabilities. Xiang Pan. ROADMAP. Background Threat Model Static Information Flow Analysis Evaluation Related Works. Extensions. Extensions Vs. Plugins Plugins are complicated, loadable modules. Flash and Java are two examples - PowerPoint PPT Presentation

Text of VEX: Vetting browser extensions for security vulnerabilities

PowerPoint

VEX: Vetting browser extensions for security vulnerabilitiesXiang PanROADMAPBackgroundThreat ModelStatic Information Flow AnalysisEvaluationRelated WorksExtensionsExtensions Vs. PluginsPlugins are complicated, loadable modules. Flash and Java are two examplesExtensions are written mostly in JavaScript. They act as part of the browser and they have wider access privileges than JS-in-a-webpage

150 million extensions are in use

Browser extensions are remarkably popular, with one inthree Firefox users running at least one extension, well-intentioned, extension developers are often not securityexperts and write buggy code that can be exploited by ma-licious web site operators.

Browser extensions expand the functionality of browsers by interacting with browser-level events and dataEasy to write

3Extensions architecture in firefox

Extension can access local files, networks and all web pagesPage privileges are more restrictive than chrome privileges. A page loaded from site x cant access content from sites other than x4Extensions are not secureDevelopers:Many developers write extensions because of hobbiesLikely to write vulnerable extensions Dont have time or interests to update their extensionsReviewers:Not possible to understand all the extensionsDont need to have great knowledge about extensions or securityFollow guidelines for what is not acceptable:The guidelines focus on finding malicious extensionsVulnerable extensions can quiet easily slip through.

ExamplesReal Extension Vulnerabilities by Roberto Suggi Liverani and Nick Freeman http://www.securitytube.net/video/3492

Skype(