Analyzing information flow in javaScript-based browser extensions

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2009, Pages 382-391

  Dhawan, Mohan ^a   Ganapathy, Vinod ^a  

^a RUTGERS UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BROWSER SECURITY; CORE FUNCTIONALITY; FIREFOX; INFORMATION FLOWS; JAVASCRIPT; SAME-ORIGIN POLICY; SECURITY ARCHITECTURE; SENSITIVE INFORMATIONS; WEB APPLICATION;

COMPUTER APPLICATIONS; HIGH LEVEL LANGUAGES; LABELS; SECURITY OF DATA; WORLD WIDE WEB;

WEB BROWSERS;

EID: 77950799484     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2009.43     Document Type: Conference Paper

References (47)

1. AdSafe: Making JavaScript safe for advertising. http://www.adsafe.org.
2. FBJS: Facebook developers wiki. http://wiki.developers.facebook.com/ index.php/FBJS.
3. Firebug: Web development evolved. http://getfirebug.com.
4. Firefox Add-ons. http://addons.mozilla.org.
5. Greasespot: The weblog about Greasemonkey. http://www.greasespot.net.
6. Internet Explorer 8. http://www.microsoft.com/windows/internet-explorer.
7. Mozilla.org XPCOM. http://www.mozilla.org/projects/xpcom.
8. NoScript - JavaScript blocker for a safer Firefox experience. http://noscript.net.
9. Signed scripts in Mozilla: JavaScript privileges. http://www.mozilla.org/ projects/security/components/signed-scripts.html.
10. XML user interface language (XUL) project. http://www.mozilla.org/ projects/xul.
11. FormSpy: McAfee avert labs, July 2006. http://vil.nai.com/vil/content/v- 140256.htm.
12. Mozilla Firefox Firebug extension - Cross-zone scripting vulnerability, April 2007. http://www.xssed.org/advisory/33.
13. FFsniFF: FireFox sniFFer, June 2008. http://azurit.elbiahosting.sk/ ffsniff.
14. Firefox add-ons infecting users with trojans, May 2008. http://www.webmasterworld.com/firefox browser/3644576.htm.
15. Trojan.PWS.ChromeInject.B, Nov 2008. http://www.bitdefender.com/VIRUS- 1000451-en--Trojan.PWS.ChromeInject.B.html.
16. Netscape Navigator 3.0. Using data tainting for security. http://www.aisystech.com/resources/advtopic.htm.
17. T. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In ACM PLAS, June 2009.
18. P. Beaucamps and D. Reynaud. Malicious Firefox extensions. In Symp. Sur La Securite Des Technologies De L'Information Et Des Communications, June 2008.
19. L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA, July 2008.
20. R. Chugh, J. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In PLDI, June 2009.
21. M. Dhawan and V. Ganapathy. Analyzing information flow in JavaScript-based browser extensions. Technical Report DCS-TR-648, Rutgers University, April 2009.
22. M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic spyware analysis. In USENIX Annual Technical, June 2007.
23. B. Eich. Better security for JavaScript, March 2009. Dagstuhl Seminar 09141: Web Application Security.
24. B. Eich. JavaScript security: Let's fix it, May 2009. Web 2.0 Security and Privacy Workshop.
25. U. Erlingsson, Y. Xie, and B. Livshits. End-to-end web application security. In HotOS, May 2007.
26. B. Yee et al.. Native client: A sandbox for portable, untrusted x86 native code. In IEEE S&P, May 2009.
27. C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE S&P, May 2008.
28. A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for Ajax intrusion detection. In WWW, April 2009.
29. O. Hallaraker and G. Vigna. Detecting malicious JavaScript code in Mozilla. In 10th IEEE Conf. on Engineering Complex Computer Systems, June 2005.
30. E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In USENIX Security, August 2006.
31. Z. Li, X. Wang, and J. Y. Choi. SpyShield: Preserving privacy from spy add-ons. In RAID, September 2007.
32. B. Livshits and S. Guarnieri. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. Technical Report MSR-TR-2009-2016, Microsoft Research, 2009.
33. M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript, June 2008.
34. P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting JavaScript. In ASIACCS, March 2009.
35. M. Pilgrim. Greasemonkey for secure data over insecure networks/sites, July 2005. http://mozdev.org/pipermail/greasemonkey/2005-July/003994.html.
36. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic HTML. In ACM/USENIX OSDI, November 2006.
37. B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In USENIX Security, August 2005.
38. J. Ruderman. The same-origin policy, August 2001. http://www.mozilla.org/ projects/security/components/same-origin.html.
39. Secunia Advisory SA24743/CVE-2007-1878/CVE-2007-11947 Mozilla Firefox Firebug extension two cross-context scripting vulnerabilities.
40. Secunia Advisory SA30284. FireFTP extension for Firefox directory traversal vulnerability.
41. M. Ter-Louw, J. S. Lim, and V. N. Venkatakrishnan. Enhancing web browser security against malware extensions. Journal of Computer Virology, 4(3), August 2008.
42. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, February 2007.
43. D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems. In ACM CCS, November 2002.
44. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle web browser. Technical Report MSR-TR-2009-2016, Microsoft Research, February 2009.
45. S. Willison. Understanding the Greasemonkey vulnerability, July 2005. http://simonwillison.net/2005/Jul/20/vulnerability.
46. A. Yip, N. Narula, M. Krohn, and R. Morris. Privacy-preserving browser-side scripting with bflow. In EuroSys, April 2009.
47. D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In ACM POPL, January 2007.