DOCSLIB.ORG

Towards Comprehensible and Effective Permission Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Towards Comprehensible and Effective Permission Systems Towards Comprehensible and Effective Permission Systems by Adrienne Porter Felt A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the GRADUATE DIVISION of the UNIVERSITY OF CALIFORNIA, BERKELEY Committee in charge: Professor David Wagner, Chair Professor Vern Paxson Professor Tapan Parikh Fall 2012 Towards Comprehensible and Effective Permission Systems Copyright c 2012 by Adrienne Porter Felt Abstract Towards Comprehensible and Effective Permission Systems by Adrienne Porter Felt Doctor of Philosophy in Computer Science University of California, Berkeley Professor David Wagner, Chair How can we, as platform designers, protect computer users from the threats associated with ma- licious, privacy-invasive, and vulnerable applications? Modern platforms have turned away from the traditional user-based permission model and begun adopting application permission systems in an attempt to shield users from these threats. This dissertation evaluates modern permission systems with the goal of improving the security of future platforms. In platforms with application permission systems, applications are unprivileged by default and must request permissions in order to access sensitive API calls. Developers specify the permis- sions that their applications need, and users approve the granting of permissions. Permissions are intended to provide defense in depth by restricting the scope of vulnerabilities and user consent by allowing users to control whether third parties have access to their resources. In this dissertation we investigate whether permission systems are effective at providing de- fense in depth and user consent. First, we perform two studies to evaluate whether permissions provide defense in depth: we analyze applications to determine whether developers request mini- mal sets of permissions, and we quantify the impact of permissions on real-world vulnerabilities. Next, we evaluate whether permissions obtain the user’s informed consent by surveying and inter- viewing users. We use the Android application and Google Chrome extension platforms for our studies; at present, they are popular platforms with extensive permission systems. Our goal is to inform the design of future platforms with our findings. We argue that per- missions are a valuable addition to a platform, and our study results support continued work on permission systems. However, current permission warnings fail to inform the majority of users about the risks of applications. We propose a set of guidelines to aid in the design of more user- friendly permissions, based on our user research and relevant literature. 1 Contents Contents i Acknowledgements iv 1 Introduction 1 2 An Overview of Approaches to Permissions 4 2.1 Permissions For Malicious Users . 4 2.2 Permissions For Adversarial Applications . 5 2.3 Usable Permissions . 7 3 Case Studies’ Backgrounds 16 3.1 Android Applications . 16 3.2 Chrome Extensions . 20 4 Developers’ Permission Request Patterns 23 4.1 Introduction . 23 4.2 Permission Request Rates . 24 4.3 Overprivilege in Android Applications . 30 4.4 Overprivilege in Chrome Extensions . 44 4.5 Other Overprivilege Considerations . 48 4.6 Conclusion . 48 4.7 Acknowledgements . 49 5 The Effect of Permissions on Chrome Extension Vulnerabilities 50 5.1 Introduction . 50 i 5.2 Threat Model . 51 5.3 Extension Security Review . 52 5.4 Evaluation of the Permission System . 55 5.5 Evaluation of Isolated Worlds . 57 5.6 Evaluation of Privilege Separation . 59 5.7 Defenses . 62 5.8 Related Work . 66 5.9 Conclusion . 67 5.10 Acknowledgements . 68 6 Android Permissions: User Attention, Comprehension, and Behavior 69 6.1 Introduction . 69 6.2 Methodology . 70 6.3 Attention During Installation . 74 6.4 Comprehension of Permissions . 80 6.5 Influence on User Behavior . 86 6.6 Implications . 88 6.7 Conclusion . 91 6.8 Acknowledgments . 92 7 A Survey of Smartphone Users’ Concerns 93 7.1 Introduction . 93 7.2 Ratings . 94 7.3 Open-Ended Survey . 99 7.4 Reasons for Uninstallation . 102 7.5 Limitations . 104 7.6 Discussion . 105 7.7 Conclusion . 106 7.8 Acknowledgments . 107 8 How To Ask For Permission 108 8.1 Introduction . 108 8.2 Guiding Principles . 109 ii 8.3 Permission-Granting Mechanisms . 110 8.4 Expert Review . 115 8.5 Applying Our Guidelines . 116 8.6 Future Work . 121 8.7 Acknowledgements . 122 9 Conclusion 123 A Lists of Applications 124 A.1 Extension Overprivilege . 124 A.2 Extension Vulnerabilities . 124 B Full Results Of User Concern Survey 126 C Categorized Permissions 129 D Research Ethics and Safety 135 Bibliography 136 iii Acknowledgements This thesis would not have been possible without my family, friends, and colleagues. I would like to express my thanks to everyone who has provided me with support. I owe my deepest gratitude to my family. My family has always encouraged me to be curious, tenacious, and ambitious. I attribute my career in computing to my upbringing; at present, women are underrepresented in the field of Computer Science, but the lessons I learned at home taught me not to be intimidated by the gender imbalance. My father brought me to his software company’s office, my grandfather patiently answered all of my grade school “interview” questions about his career, and my mother never accepted my excuses for not completing my math homework. I was always told that I could accomplish anything. I am grateful to my husband Mark, who always provided me with his patience and support. Without him, I surely would have starved while working on paper deadlines. I would like to thank my graduate advisor, Professor David Wagner. His keen advice taught me how to formulate problems and identify feasible research directions. Too often, academia is harsh and hypercritical; David taught me how to temper criticism with kindness and a genuine desire to help. I also would like to thank my undergraduate advisor, Professor David Evans, who introduced me to research and encouraged me to consider graduate school. I would not have applied to graduate school without his assurance that I was capable of completing a Ph.D. Professors Vern Paxson, Coye Cheshire, and Tapan Parikh provided valuable feedback on my work that helped shape my research. Their comments contributed greatly to the way I thought about the problems discussed within this dissertation. I am also indebted to Adam Barth, who served as my unofficial mentor during my first year of graduate school. He taught me how to write a research paper. iv Chapter 1 Introduction Most modern platforms support large, thriving third-party application marketplaces. Users can select from an unprecedented number of applications to supplement their experiences with their smartphones, computers, web browsers, and social networking sites. For example, as of 2012, Google Play lists over 500,000 Android applications, the Facebook platform supports more than nine million applications, and the Apple App Store includes more than 600,000 iOS applica- tions [106, 53]. These applications offer a diverse set of features from a diverse set of developers. Unfortunately, third-party applications create risks for the user. Many otherwise legitimate applications aggressively collect personal information about their users (e.g., for marketing cam- paigns) in ways that make users uncomfortable [144]. Malicious applications use social engineer- ing tactics to convince users to install them [64, 159, 48, 134]. Applications can also put users at risk of external (e.g., network-based) attacks by containing vulnerabilities; the authors of third- party applications usually are not security experts [104, 154]. How can platform designers help users avoid these threats while still supporting a broad range of colorful applications? Traditional user-based security mechanisms were designed to protect users from each other on time-shared computers, in an era when most applications were downloaded from trusted sources or written by users themselves. Consequently, traditional operating systems assign the user’s full privileges to all applications. However, this threat model is no longer appropriate now that users cannot fully trust their applications. Modern platforms are consequently transitioning to a new se- curity model in which each application has a different set of permissions based on its requirements. These permissions control applications’ access to security- and privacy-relevant system resources, so that users can decide whether to give individual applications access to these sensitive resources. This new style of permission system can be found in contemporary smartphone operating sys- tems (e.g., Android and Windows Phone 7), new desktop operating systems (e.g., Windows 8 Metro), social networking platforms (e.g., Facebook and Twitter), and browsers (e.g., the Google Chrome extension platform and new HTML5 features). In some of these platforms, users are prompted to approve permissions as needed by applications at runtime. In others, developers are asked to declare their applications’ permission requirements up-front so that users can grant per- 1 missions at install-time. Regardless of when the permission request occurs, users are asked to make security decisions on a per-application basis, and developers need to design their applications to work within the constraints of the permission systems. This dissertation evaluates whether modern permission systems have a positive effect on end user security, with the goal of guiding the design of security mechanisms in future
Load more

Recommended publications
  • The Effectiveness of Application Permissions
    The Effectiveness of Application Permissions Adrienne Porter Felt,∗ Kate Greenwood, David Wagner University of California, Berkeley apf, kate eli, [email protected] Abstract cations’ permission requirements up-front so that users can grant them during installation. Traditional user-based permission systems assign the Traditional user-based permission systems assign the user’s full privileges to all applications. Modern plat- user’s full privileges to all of the user’s applications. In forms are transitioning to a new model, in which each the application permission model, however, each appli- application has a different set of permissions based on cation can have a customized set of permissions based its requirements. Application permissions offer several on its individual privilege requirements. If most applica- advantages over traditional user-based permissions, but tions can be satisfied with less than the user’s full priv- these benefits rely on the assumption that applications ileges, then three advantages of application permissions generally require less than full privileges. We explore over the traditional user-based model are possible: whether that assumption is realistic, which provides in- sight into the value of application permissions. • User Consent: Security-conscious users may be We perform case studies on two platforms with appli- hesitant to grant access to dangerous permissions cation permissions, the Google Chrome extension sys- without justification. For install-time systems, this tem and the Android OS. We collect the permission re- might alert some users to malware at installation; quirements of a large set of Google Chrome extensions for time-of-use systems, this can prevent an in- and Android applications.
    [Show full text]
  • Appendix 1 - 5 Appendix 1 - Questionnaire for Colleges
    Appendix 1 - 5 Appendix 1 - Questionnaire for Colleges Declaration: I, Rajeev Ghode, persuing my Ph.D. in Department of Communication Studies, Pune University. Title of Ph.D. Research is "To study potential and challenges in the use and adoption of ICT in Higher Education"For this research purpose, I want to collect quantitative data from all the professors of colleges which are affiliated to Pune University. I ensure that all the data collected will be used only for the Ph.D. research and secrecy of the data will be maintained. I appreciate you for spending your valuable time to fill this questionnaire. Thanking You <•;. Prof. Rajeev Ghode Questionnaire Name of the College Address/City 1 Arts Science and Commerce College 1 Arts Science and Commerce College with Computer Science Type of College 1 Commerce and BBA Q B.Ed. College 1 1 Law Institutional ICT Infrastructure Sr. ICT Infrastructure Yes No Provision in near No. future 1. Multimedia /Conference Hall 2. Computer Lab 3. Internet Connectivity in Campus 4. Digital Library 5. Website 6. Organization e-mail Server 7. Blog Appendix - I Sr. ICT Infrastructure Yes No Provision in near No. future 8. Presence on SNS 9. Online Admission System 10. Online/Offline Examination Application 11. Biometric Attendance 12. Student Management System 13. Professional membership for online journals Department-wise ICT Infrastructure Sr. ICT Infrastructure Yes No Provision in near No. future 1. Do you have separate Desktops for faculties in every department? 2. Do you have separate Laptops for every department? 3. Does every department have LCD Projector? 4.
    [Show full text]
  • Social Media Why You Should Care What Is Social Media? Social Network
    Social Media Why You Should Care IST 331 - Olivier Georgeon, Frank Ritter 31 oct 15 • eMarketer (2007) estimated by 2011 one-half Examples of all Internet users will use social networking • Facebook regulary. • YouTube • By 2015, 75% use • Myspace • Twitter • Del.icio.us • Digg • Etc… 2 What is Social Media? Social Network • Social Network • Online communities of people who share • User Generated Content (UGC) interests and activities, • Social Bookmarking • … or who are interested in exploring the interests and activities of others. • Examples: Facebook, MySpace, LinkedIn, Orkut • Falls to analysis with tools in Ch. 9 3 4 User Generated Content (UGC) Social Bookmarking • A method for Internet users to store, organize, search, • or Consumer Generated Media (CGM) and manage bookmarks of web pages on the Internet with the help of metadata. • Based on communities; • Defined: Media content that is publicly – The more people who bookmark a piece of content, the more available and produced by end-users (user). value it is determined to have. • Examples: Digg, Del.icio.us, StumbleUpon, and reddit….and now combinations • Usually supported by a social network • Examples: Blogs, Micro-blogs, YouTube video, Flickr photos, Wiki content, Facebook wall posts, reddit, Second Life… 5 6 Social Media Principles Generate an activity stream • Automatic • Who you are – Google History, Google Analytics – Personalization • Blog • Who you know • Micro-blog – Browse network – Twitter, yammer, identi.ca • What you do • Mailing groups – Generate an activity stream
    [Show full text]
  • POPULAR SOCIAL MEDIA SITES Below Is a List of Some of the Most Commonly Used Youth and Teen Social Networking Sites and Tools
    POPULAR SOCIAL MEDIA SITES Below is a list of some of the most commonly used youth and teen social networking sites and tools. Ask.fm (http://ask.fm) Participants log on, post a question anonymously and anyone may answer anonymously. “Do you think I am fat?” or “Would you date me?” are examples of questions posted in the past. There have also been examples in which individuals were encouraged to kill themselves. The site has courted controversy by not having workable reporting, tracking or parental control processes, which have become the norm on other social media websites. Twitter (https://twitter.com) An online social networking and microblogging service that enables users to send and read "tweets", which are text messages limited to 140 characters. Instagram (http://instagram.com) A photo-sharing app for iPhone. Kik (http://kik.com) Kik is as an alternative to email or text messaging and its popularity has grown in the last two years. Kik is accessible on smartphones and supports over 4 million users, called “Kicksters.” Users are not restricted to sending text messages with Kik. Images, videos, sketches, emoticions and more may be sent. A user can block users on Kik from contacting them. Wanelo (http://wanelo.com) Wanelo (from Want, Need, Love) sells unique products online, all posted by users. Products posted for sale range from dishes, clothing, intimate wear and other potentially “R-Rated” products. Vine (https://vine.co) Vine is used to create and share free and instant six-second videos. Topic and content ranges. Snapchat (http://www.snapchat.com) A photo messaging application.
    [Show full text]
  • The Multics System, 1975
    Honeywell The Multics System O 1975,1976,Honeywell Information Systems Inc. File No.:lLll - -- - ecure A Unique Business Problem-SolvingTool Here is a computer techniques are available to system that enables data all users automatically processing users to control through the Multics operating and distribute easily accessi- supervisor. ble computer power. The Because it is a unique Honeywell Multics System combination of advanced represents an advanced computing theory and out- approach to making the com- standing computer hardware, puter an integral, thoroughly Multics can provide an infor- reliable part of a company's mation service system more operation. advanced than any other yet The Multics System available. replaces many of the proce- Honeywell offers, as dures limiting conventional part of its advanced Series 60 systems and sweeps away line, two models for Multics - many of the factors that have the Model 68/60 and the restricted the application of Model 68/80. computers to routine data While contributing sig- processing assignments. nificantly to the application Now-with Multics - diversity of the Series 60 the computer becomes a family, these Multics systems responsive tool for solving also enable Honeywell to challenging business accommodate more efficiently problems. the computing needs of The Multics System today's businesses. incorporates many of the most user-oriented program- ming and supervisory tech- niques yet devised. These Multics is Transaction Processing -and More Although Multics is by Ease of accessibility, design a transaction oriented, featuring a simple and con- interactive information sys- sistent user interface for all tem, its functional capability types of services. There is no encompasses the full spec- job control or command trum of a general purpose language to learn and an computer.
    [Show full text]
  • Browser Wars
    Uppsala universitet Inst. för informationsvetenskap Browser Wars Kampen om webbläsarmarknaden Andreas Högström, Emil Pettersson Kurs: Examensarbete Nivå: C Termin: VT-10 Datum: 2010-06-07 Handledare: Anneli Edman "Anyone who slaps a 'this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of read- ing a document written on another computer, another word processor, or another network" - Sir Timothy John Berners-Lee, grundare av World Wide Web Consortium, Technology Review juli 1996 Innehållsförteckning Abstract ...................................................................................................................................... 1 Sammanfattning ......................................................................................................................... 2 1 Inledning .................................................................................................................................. 3 1.1 Bakgrund .............................................................................................................................. 3 1.2 Syfte ..................................................................................................................................... 3 1.3 Frågeställningar .................................................................................................................... 3 1.4 Avgränsningar .....................................................................................................................
    [Show full text]
  • Detecting Conflicts Among Declarative UI Extensions
    Detecting Conflicts Among Declarative UI Extensions Benjamin S. Lerner Dan Grossman Brown University University of Washington [email protected] [email protected] Abstract shows a “Hello world” example written in XUL, a simple overlay We examine overlays, a flexible aspect-like mechanism for third- targeting it, and its composition with the base document. Appli- cations like Firefox use this ability heavily to modularize their UI party declarative extensions of declarative UIs. Overlays can be de- fined for any markup language and permit extensions to define new definitions into many smaller documents. Mozilla applications expose the overlay mechanism to third par- content that is dynamically woven into a base UI document. While powerful, overlays are inherently non-modular and may conflict ties and thereby enable a uniquely powerful extension mechanism. Such third party extensions can enhance or modify the program’s with each other, by defining duplicate or contradictory UI compo- nents. We construct an abstract language to capture core overlay se- base functionality in arbitrary ways; overlays are used to integrate mantics, and design an automatic analysis to detect inter-extension the extension’s UI into the existing UI. Moreover, end users can conflicts. We apply the analysis to a case study of Firefox exten- freely install extensions to customize their browser however they sions, finding several real-world bugs. Our analysis provides low- wish. This expressiveness has led to the widespread popularity level feedback to extension developers and high-level reports to end of Firefox extensions—hundreds of millions of users have down- users. Finally, we show how variants of overlays more expressive loaded extensions billions of times [13].
    [Show full text]
  • Apigee X Migration Offering
    Apigee X Migration Offering Overview Today, enterprises on their digital transformation journeys are striving for “Digital Excellence” to meet new digital demands. To achieve this, they are looking to accelerate their journeys to the cloud and revamp their API strategies. Businesses are looking to build APIs that can operate anywhere to provide new and seamless cus- tomer experiences quickly and securely. In February 2021, Google announced the launch of the new version of the cloud API management platform Apigee called Apigee X. It will provide enterprises with a high performing, reliable, and global digital transformation platform that drives success with digital excellence. Apigee X inte- grates deeply with Google Cloud Platform offerings to provide improved performance, scalability, controls and AI powered automation & security that clients need to provide un-parallel customer experiences. Partnerships Fresh Gravity is an official partner of Google Cloud and has deep experience in implementing GCP products like Apigee/Hybrid, Anthos, GKE, Cloud Run, Cloud CDN, Appsheet, BigQuery, Cloud Armor and others. Apigee X Value Proposition Apigee X provides several benefits to clients for them to consider migrating from their existing Apigee Edge platform, whether on-premise or on the cloud, to better manage their APIs. Enhanced customer experience through global reach, better performance, scalability and predictability • Global reach for multi-region setup, distributed caching, scaling, and peak traffic support • Managed autoscaling for runtime instance ingress as well as environments independently based on API traffic • AI-powered automation and ML capabilities help to autonomously identify anomalies, predict traffic for peak seasons, and ensure APIs adhere to compliance requirements.
    [Show full text]
  • Subscribing Via Google Reader to RSS Feeds & Classroom Blogs
    Subscribing Via Google Reader to RSS Feeds & Classroom Blogs All of our classrooms at MJGDS have their own blog. Several grade levels are piloting individual student portfolios based on a blogging platform. • How do you keep up with all this information? • How do you filter and organize it? • How can you avoid having to go back to blogs to check if the owner has updated with a new post? The RSS feed comes to the rescue! According to Wikipedia RSS is defined as: “RSS (most commonly expanded as Really Simple Syndication) is a family of web feed formats used to publish frequently updated works—such as blog entries, news headlines, audio, and video—in a standardized format. An RSS document (which is called a "feed", "web feed", or "channel") includes full or summarized text, plus metadata such as publishing dates and authorship. Web feeds benefit publishers by letting them syndicate content automatically. They benefit readers who want to subscribe to timely updates from favored websites or to aggregate feeds from many sites into one place. RSS feeds can be read using software called an "RSS reader", "feed reader", or "aggregator", which can be web-based, desktop-based, or mobile-device-based.” Licensed under Creative Commons Subscribe via RSS Google Reader to Classroom Blogs. Silvia Rosenthal Tolisano~ Langwitches Blog~ Globally Connected Learning Consultant Subscribing Via Google Reader to RSS Feeds & Classroom Blogs Start scanning websites you frequent for different variations of this RSS feed icon. Some will have the icon listed in a prominent place on the website, others will just have a text link in the sidebar of footer of the page or some will have NO sign that there is an RSS feed available.
    [Show full text]
  • Knowledge Graphs
    KNOWLEDGE GRAPHS Lecture 1: Introduction and Motivation Markus Krotzsch¨ Knowledge-Based Systems TU Dresden, 16th Oct 2018 Introduction and Organisation Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 2 of 25 Course Tutors Markus Krötzsch Maximilian Marx Lectures Exercises Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 3 of 25 Organisation Lectures Tuesday, DS 3 (11:10–12:40), APB E005 Exercise Sessions (starting 23 October) Tuesday, DS 5 (14:50–16:20), APB E005 Web Page https://iccl.inf.tu-dresden.de/web/Knowledge_Graphs_(WS2018/19) Lecture Notes Slides of current and past lectures will be online. Modules INF-B-510, INF-B-520, INF-BAS6, INF-E-3, INF-PM-FOR, INF-VERT6, MCL-KR, MCL-TCSL – anything else? Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 4 of 25 Goals and Prerequisites Goals • Introduce basic notions of graph-based knowledge representation(s) • Study important graph data management approaches (RDF, Property Graph) and query languages • Learn about relevant methods, tools, and datasets • Discuss aspects of modelling and quality assurance (Non-)Prerequisites • No particular prior courses needed • Basic programming skills are assumed; practical experience beyond basic courses will be helpful • Interesting optional synergies: databases, machine learning, social networks, graph theory Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 5 of 25 Motivation Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 6 of 25 The Hype (c) 2018 Gartner, Inc. All rights reserved. Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 7 of 25 Knowledge Graphs Everywhere All company logos subject to copyrights. All rights reserved. Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 8 of 25 The original “Knowledge Graph” (Google, 2012): (c) Google.
    [Show full text]
  • Google Dictionary: a Critical Review
    3 Issues and Trends in Learning Technologies Volume 8, Number 1, May 2020 Google Dictionary: A Critical Review Musa Nushi Afshin Moradi Shahid Beheshti University Shahid Beheshti University Abstract In an increasingly digital world, online educational resources, apps, and other technologies can serve as incredibly effective tools to facilitate both teaching and learning. One such online tool is the Google Dictionary. This dictionary, an online service of Google, is probably one of the simplest dictionaries for English learners. The definitions usually use simple words and therefore are easy to understand. In addition to the definitions, examples, pictures, and usage notes, there is a separate pronunciation entry with interesting characteristics. This newly added entry provides users with the pronunciation of a word in two different accents, visemes, slow playback, and an option that lets Google collect feedback about the accuracy and helpfulness of the pronunciation recordings from users. This review paper offers a descriptive account of the entry, along with critical evaluation including its strong points and limitations. The review concludes with some suggestions to improve the educational quality of the pronunciation entry.. Keywords: Google Dictionary, pronunciation, second language, technology Website Details Publisher: Google Product Type: Web-based service Language(s): Multilingual Level: Any Media Format: WebP and WebM Operating Systems: Any Hardware Requirements: Internet Connection Supplementary Software: None Introduction The Internet has revolutionized the way we go about living our lives. There is hardly an area, at least in the Western world, that has not been touched by the Internet revolution (Esterle, Ranck & Schmitt, 2005; Selwyn, 2014). The affordances provided by the Internet are enormous, ranging from checking whether one’s plant needs water to booking a hotel in a resort island off the coast of Montenegro, in the Adriatic Sea.
    [Show full text]
  • Understanding and Mitigating Attacks Targeting Web Browsers
    Understanding and Mitigating Attacks Targeting Web Browsers A Dissertation presented in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the field of Information Assurance by Ahmet Salih Buyukkayhan Northeastern University Khoury College of Computer Sciences Boston, Massachusetts April 2019 To my family, teachers and mentors. i Contents List of Figures v List of Tables vii Acknowledgments viii Abstract of the Dissertation ix 1 Introduction 1 1.1 Structure of the Thesis . .2 2 Background 4 2.1 Browser Extensions . .4 2.1.1 Firefox Extensions . .5 2.1.2 Extension Security . .7 2.2 Vulnerabilities in Web Applications . .9 2.2.1 Vulnerability Reward Programs and Platforms . .9 2.2.2 XSS Vulnerabilities . 10 2.2.3 XSS Defenses . 12 3 CrossFire: Firefox Extension-Reuse Vulnerabilities 14 3.1 Overview . 14 3.2 Threat Model . 15 3.3 Design . 16 3.3.1 Vulnerability Analysis . 17 3.3.2 Exploit Generation . 19 3.3.3 Example Vulnerabilities . 20 3.4 Implementation . 23 3.5 Evaluation . 23 3.5.1 Vulnerabilities in Top Extensions . 23 3.5.2 Random Sample Study of Extensions . 25 3.5.3 Performance & Manual Effort . 27 ii 3.5.4 Case Study: Submitting an Extension to Mozilla Add-ons Repository . 28 3.5.5 Jetpack Extensions. 30 3.5.6 Implications on Extension Vetting Procedures . 31 3.6 Summary . 31 4 SENTINEL: Securing Legacy Firefox Extensions 33 4.1 Overview . 33 4.2 Threat Model . 34 4.3 Design . 35 4.3.1 Intercepting XPCOM Operations . 36 4.3.2 Intercepting XUL Document Manipulations .
    [Show full text]