Are chrome extensions compliant with the spirit of least privilege?-Reference-Cited by-同舟云学术

Are chrome extensions compliant with the spirit of least privilege?

Published:2022-09-04 Issue:6 Volume:21 Page:1283-1297
ISSN:1615-5262
Container-title:International Journal of Information Security
language:en
Short-container-title:Int. J. Inf. Secur.

Author:

Picazo-Sanchez Pablo^ORCID,Ortiz-Martin Lara,Schneider Gerardo,Sabelfeld Andrei

Abstract

AbstractExtensions are small applications installed by users and enrich the user experience of browsing the Internet. Browsers expose a set of restricted APIs to extensions. To be used, extensions need to list the permissions associated with these APIs in a mandatory extension file named manifest. In particular, Chrome’s permission ecosystem was designed in the spirit of the least privilege. Yet, this paper demonstrates that 39.8% of the analyzed extensions provided by the official Web Store are compliant with the spirit of least privilege. Also, we develop: (1) a browser extension to make aware regular users of the permissions the extensions they install; (2) a web app where extensions developers can check whether their extensions are compliant with the spirit of the least privileged; and (3) a set of scripts that can be part of the vendors’ acceptance criteria such that when developers upload their extensions to the official repositories, the scripts automatically analyze the extensions and generate a report about the permissions and the usage.

Funder

Swedish Foundation for Strategic Research

Swedish Research Council

Publisher

Springer Science and Business Media LLC

Subject

Computer Networks and Communications,Safety, Risk, Reliability and Quality,Information Systems,Software

Link

https://link.springer.com/content/pdf/10.1007/s10207-022-00610-w.pdf

Reference42 articles.

1. Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: Euro S &P, pp. 47–61 (2018)

2. Ampatzoglou, A., Bibi, S., Avgeriou, P., Verbeek, M., Chatzigeorgiou, A.: Identifying, categorizing and mitigating threats to validity in software engineering secondary studies. Inf. Softw. Technol. 106, 201–230 (2019)

3. Arshad, S., Kharraz, A., Robertson, W.: Identifying extension-based ad injection via fine-grained web content provenance. In: RAID, pp. 415–436 (2016)

4. Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX, pp. 339–354 (2010)

5. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)

Cited by 3 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Safeguard confidential web information from malicious browser extension using Encryption and Isolation techniques;Journal of Intelligent & Fuzzy Systems;2023-10-04

2. ‘We are adults and deserve control of our phones’: Examining the risks and opportunities of a right to repair for mobile apps;2023 ACM Conference on Fairness, Accountability, and Transparency;2023-06-12

3. From Manifest V2 to V3: A Study on the Discoverability of Chrome Extensions;Lecture Notes in Computer Science;2023