Analyzing Information Flow in JavaScript-Based Browser Extensions

12 years 8 months ago
Analyzing Information Flow in JavaScript-Based Browser Extensions
JavaScript-based browser extensions (JSEs) enhance the core functionality of web browsers by improving their look and feel, and are widely available for commodity browsers. To enable a rich set of functionalities, browsers typically execute JSEs with elevated privileges. For example, unlike JavaScript code in a web application, code in a JSE is not constrained by the same-origin policy. Malicious JSEs can misuse these privileges to compromise confidentiality and integrity, e.g., by stealing sensitive information, such as cookies and saved passwords, or executing arbitrary code on the host system. Even if a JSE is not overtly malicious, vulnerabilities in the JSE and the browser may allow a remote attacker to compromise browser security. We present Sabre (Security Architecture for Browser Extensions), a system that uses in-browser informationflow tracking to analyze JSEs. Sabre associates a label with each in-memory JavaScript object in the browser, which determines whether the objec...
Mohan Dhawan, Vinod Ganapathy
Added 18 May 2010
Updated 18 May 2010
Type Conference
Year 2009
Authors Mohan Dhawan, Vinod Ganapathy
Comments (0)