Home
Resource
Techniques and tools for secure web browser extension development
PDF
PDF format is widely accepted and good for printing.
Plug-in required
PDF-1(828.05 kb)
Citation & Export
View Usage Statistics
Staff View

Citation & Export
Hide

Simple citation

Karim, Rezwana. Techniques and tools for secure web browser extension development. Retrieved from https://doi.org/doi:10.7282/T3000433

Export

Click here for information about Citation Management Tools at Rutgers.

Statistics
Hide

Description

TitleTechniques and tools for secure web browser extension development
NameKarim, Rezwana (author); Ganapathy, Vinod (chair); Kremer, Ulrich (internal member); Nagarakatte, Santosh (internal member); Lu, Long (outside member); Rutgers University; Graduate School - New Brunswick
Date Created2015
Other Date2015-10 (degree)
SubjectComputer Science, Computer security, Browsers (Computer programs)
Extent1 online resource (xi, 100 p. : ill.)
DescriptionMany modern application platforms support an extensible architecture that allows the application core to be extended with functionality developed by third-parties. This bootstraps a developer community that works together to enhance and customize the basic functionality of those platforms. To ease development of such extensions, these platforms expose an API that third-parties can use to implement their functionality. For instance, Web applications make use of the browser’s Document Object Model (DOM) API, smart phone applications use the mobile platform’s SDK and browser extensions use the extension API. These APIs usually endow extension developers with privileges to access various system resources. However, to isolate the platform from any new security threats caused by these untrusted extensions, the API must ideally restrict extensions’ authority. Thus, an important challenge is to simplify extension programming for the third-party developers while ensuring that these extensions do not compromise the security of the application core. This dissertation seeks to address the above issues in the context of Web browser extensions. It presents algorithms and tools to facilitate secure Web browser extension development. In particular, it makes the following two contributions. First, it studies and characterizes the security of a modern Web browser extension architecture, the Mozilla Jetpack framework — proposes solutions to improve the security of the architecture and extensions developed on top of it. It presents Beacon, which leverages JavaScript-level information flow technique to detect unsafe programming practices in browser extensions. Upon analyzing 68000 lines of JavaScript code from modern extension framework and real world extensions, Beacon found 36 instances of potentially unsafe programming practices. Second, it addresses the problem of porting unsafe legacy extensions to modern, privilege- separated extension architectures. It presents Morpheus, which applies program analysis and software engineering techniques that refactor legacy vulnerable extensions for use with modern extension frameworks, the Jetpack framework in particular. Morpheus also enables fine-grained control over extensions via a runtime policy enforcement engine. Morpheus has been applied to successfully port 52 legacy Mozilla extensions to the Jetpack framework.
NotePh.D.
NoteIncludes bibliographical references
Noteby Rezwana Karim
Genretheses, ETD doctoral
Persistent URLhttps://doi.org/doi:10.7282/T3000433
Languageeng
CollectionGraduate School - New Brunswick Electronic Theses and Dissertations
Organization NameRutgers, The State University of New Jersey
RightsThe author owns the copyright to this work.
Version 8.5.5
Rutgers University Libraries - Copyright ©2024