nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

JTaint: Finding Privacy-Leakage in Chrome Extensions

verfasst von : Mengfei Xie, Jianming Fu, Jia He, Chenke Luo, Guojun Peng

Erschienen in: Information Security and Privacy

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Extensions are used by many Chrome browser users to enhance browser functions and users’ online experience. These extensions run with special permissions, they can read and modify the element of DOM (Document Object Model) in users’ web pages. But, excessive permissions and operation behaviors have brought users heavy risks such as the privacy leakage caused by extensions. Dynamic taint analysis techniques are often exploited to discover the privacy leakage, it monitors code execution by modifying the JavaScript interpreter or rewriting the JavaScript source code. However, interpreter-level taint technique needs to overcome the complexity of the interpreter, and there are also many difficulties in designing taint propagation rules for bytecode. And source-level taint technique is undertainted like Jalangi2, which will trigger some exceptions in practice.

To this end, we design JalangiEX based on Jalangi2. JalangiEX fixes problems in Jalangi2 and strips its redundant codes. Besides, JalangiEX also monitors two types of initialization actions and provides taint propagation support for message passing between different pages, which further solves the undertaint problem of Jalangi2. Moreover we implement JTaint, a dynamic taint analysis system that uses JalangiEX to rewrite the extension and monitors the process of taint propagation to discover potential privacy leaks in Chrome extensions. Finally, we use JTaint to analyze 20,000 extensions from Chrome Web Store and observe the data flow of extensions on a special honey page. Fifty-seven malicious extensions are recognized to leak sensitive-privacy information and are still active in the Chrome Web Store.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Design and Evaluation of Enumeration Attacks on Package Tracking Systems

Nächstes Kapitel Unlinkable Updatable Databases and Oblivious Transfer with Access Control

Nur mit Berechtigung zugänglich

Malicious Chrome Extensions Enable Criminals to Impact Half a Million Users and Global Businesses. https://atr-blog.gigamon.com/2018/01/18/malicious-chrome-extensions-enable-criminals-to-impact-half-a-million-users-and-global-businesses. Accessed 20 Feb 2020

DataSpii: The catastrophic data leak via browser extensions. https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/

Aravind, V., Sethumadhavan, M.: A framework for analysing the security of chrome extensions. Adv. Comput. Netw. Inf. 2, 267–272 (2014)

Akshay Dev, P.K., Jevitha, K.P.: STRIDE based analysis of the chrome browser extensions API. In: Satapathy, S.C., Bhateja, V., Udgata, S.K., Pattnaik, P.K. (eds.) Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications. AISC, vol. 516, pp. 169–178. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-3156-4_17CrossRef

Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 2011 IEEE Symposium on Security and Privacy, pp. 115–130. IEEE (2011)

Calzavara, S., Bugliesi, M., Crafa, S., Steffinlongo, E.: Fine-grained detection of privilege escalation attacks on browser extensions. In: Vitek, J. (ed.) ESOP 2015. LNCS, vol. 9032, pp. 510–534. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46669-8_21CrossRef

Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: The World Wide Web Conference, pp. 3244–3250 (2019)

Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 26th International Conference on World Wide Web, pp. 1481–1490. ACM (2017)

Weissbacher, M., Mariconti, E., Suarez-Tangil, G., Stringhini, G., Robertson, W., Kirda, E.: Ex-ray: detection of history-leaking browser extensions. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 590–602. ACM, New York (2017)

10.

Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 641–654. USENIX Association, USA (2014)

11.

Jagpal, N., et al.: Trends and lessons from three years fighting malicious extensions. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 579–593. USENIX Association, USA (2015)

12.

Zhao, Y., et al.: Large-scale detection of privacy leaks for BAT browsers extensions in China. In: 2019 International Symposium on Theoretical Aspects of Software Engineering (TASE), pp. 57–64. IEEE (2019)

13.

Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 47–61. IEEE (2018)

14.

Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)

15.

Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: NDSS, February 2015

16.

Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1687–1700. ACM (2018)

17.

Chang, W., Chen, S.: ExtensionGuard: towards runtime browser extension information leakage detection. In: 2016 IEEE Conference on Communications and Network Security (CNS), pp. 154–162. IEEE (2016)

18.

Chang, W., Chen, S.: Defeat information leakage from browser extensions via data obfuscation. In: Qing, S., Zhou, J., Liu, D. (eds.) ICICS 2013. LNCS, vol. 8233, pp. 33–48. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02726-5_3CrossRef

19.

Sen, K., Kalasapur, S., Brutch, T., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 488–498 (2013)

20.

Extension Overview. https://developer.chrome.com/extensions/overview. Accessed 20 Feb 2020

21.

Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: threat analysis and countermeasures. In: NDSS (2012)

22.

Somé, D.F.: EmPoWeb: empowering web applications with browser extensions. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 227–245. IEEE, May 2019

23.

Fake Ad Blockers. https://adguard.com/en/blog/fake-ad-blockers-part-2.html

24.

Message Passing. https://developer.chrome.com/extensions/messaging. Accessed 20 Feb 2020

25.

Chrome.storage. https://developer.chrome.com/apps/storage. Accessed 20 Feb 2020

26.

Plagiarism Notice. https://github.com/dmtspoint/OpenGG/blob/master/Hall-of-shame.md. Accessed 20 Feb 2020

Titel: JTaint: Finding Privacy-Leakage in Chrome Extensions
verfasst von: Mengfei Xie
Jianming Fu
Jia He
Chenke Luo
Guojun Peng
Verlag: Springer International Publishing
Buch: Information Security and Privacy
Print ISBN: 978-3-030-55303-6

Electronic ISBN: 978-3-030-55304-3

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-55304-3_29

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner