Techniques and tools for secure web browser extension development

RUcore: Rutgers University Community Repository

Search
- All
- Text
- Images
- Audio
- Video
Advanced Search | Help

Search all content in all RUcore collections.
Services
Collections

Help Contact Us My Account

Home

Resource

Staff View

Techniques and tools for secure web browser extension development

Descriptive Metadata

Rights Metadata

Technical Metadata

Descriptive

TitleInfo

Title

Techniques and tools for secure web browser extension development

Name (type = personal)

NamePart (type = family)

Karim

NamePart (type = given)

Rezwana

NamePart (type = date)

1984-

DisplayForm

Rezwana Karim

Role

RoleTerm (authority = RULIB)

author

Name (type = personal)

NamePart (type = family)

Ganapathy

NamePart (type = given)

Vinod

DisplayForm

Vinod Ganapathy

Affiliation

Advisory Committee

Role

RoleTerm (authority = RULIB)

chair

Name (type = personal)

NamePart (type = family)

Kremer

NamePart (type = given)

Ulrich

DisplayForm

Ulrich Kremer

Affiliation

Advisory Committee

Role

RoleTerm (authority = RULIB)

internal member

Name (type = personal)

NamePart (type = family)

Nagarakatte

NamePart (type = given)

Santosh

DisplayForm

Santosh Nagarakatte

Affiliation

Advisory Committee

Role

RoleTerm (authority = RULIB)

internal member

Name (type = personal)

NamePart (type = family)

NamePart (type = given)

Long

DisplayForm

Long Lu

Affiliation

Advisory Committee

Role

RoleTerm (authority = RULIB)

outside member

Name (type = corporate)

NamePart

Rutgers University

Role

RoleTerm (authority = RULIB)

degree grantor

Name (type = corporate)

NamePart

Graduate School - New Brunswick

Role

RoleTerm (authority = RULIB)

school

TypeOfResource

Text

Genre (authority = marcgt)

theses

OriginInfo

DateCreated (encoding = w3cdtf); (qualifier = exact)

2015

DateOther (qualifier = exact); (type = degree)

2015-10

CopyrightDate (encoding = w3cdtf); (qualifier = exact)

2015

Place

PlaceTerm (type = code)

Language

LanguageTerm (authority = ISO639-2b); (type = code)

eng

Abstract (type = abstract)

Many modern application platforms support an extensible architecture that allows the application core to be extended with functionality developed by third-parties. This bootstraps a developer community that works together to enhance and customize the basic functionality of those platforms. To ease development of such extensions, these platforms expose an API that third-parties can use to implement their functionality. For instance, Web applications make use of the browser’s Document Object Model (DOM) API, smart phone applications use the mobile platform’s SDK and browser extensions use the extension API. These APIs usually endow extension developers with privileges to access various system resources. However, to isolate the platform from any new security threats caused by these untrusted extensions, the API must ideally restrict extensions’ authority. Thus, an important challenge is to simplify extension programming for the third-party developers while ensuring that these extensions do not compromise the security of the application core. This dissertation seeks to address the above issues in the context of Web browser extensions. It presents algorithms and tools to facilitate secure Web browser extension development. In particular, it makes the following two contributions. First, it studies and characterizes the security of a modern Web browser extension architecture, the Mozilla Jetpack framework — proposes solutions to improve the security of the architecture and extensions developed on top of it. It presents Beacon, which leverages JavaScript-level information flow technique to detect unsafe programming practices in browser extensions. Upon analyzing 68000 lines of JavaScript code from modern extension framework and real world extensions, Beacon found 36 instances of potentially unsafe programming practices. Second, it addresses the problem of porting unsafe legacy extensions to modern, privilege- separated extension architectures. It presents Morpheus, which applies program analysis and software engineering techniques that refactor legacy vulnerable extensions for use with modern extension frameworks, the Jetpack framework in particular. Morpheus also enables fine-grained control over extensions via a runtime policy enforcement engine. Morpheus has been applied to successfully port 52 legacy Mozilla extensions to the Jetpack framework.

Subject (authority = RUETD)

Topic

Computer Science

Subject (authority = ETD-LCSH)

Topic

Computer security

Subject (authority = ETD-LCSH)

Topic

Browsers (Computer programs)

RelatedItem (type = host)

TitleInfo

Title

Rutgers University Electronic Theses and Dissertations

Identifier (type = RULIB)

ETD

Identifier

ETD_6750

PhysicalDescription

Form (authority = gmd)

electronic resource

InternetMediaType

application/pdf

InternetMediaType

text/xml

Extent

1 online resource (xi, 100 p. : ill.)

Note (type = degree)

Ph.D.

Note (type = bibliography)

Includes bibliographical references

Note (type = statement of responsibility)

by Rezwana Karim

RelatedItem (type = host)

TitleInfo

Title

Graduate School - New Brunswick Electronic Theses and Dissertations

Identifier (type = local)

rucore19991600001

Location

PhysicalLocation (authority = marcorg); (displayLabel = Rutgers, The State University of New Jersey)

NjNbRU

Identifier (type = doi)

doi:10.7282/T3000433

Genre (authority = ExL-Esploro)

ETD doctoral

Back to the top

Rights

RightsDeclaration (ID = rulibRdec0006)

The author owns the copyright to this work.

RightsHolder (type = personal)

Name

FamilyName

Karim

GivenName

Rezwana

Role

RightsEvent

Type

Permission or license

DateTime (encoding = w3cdtf); (qualifier = exact); (point = start)

2015-09-21 17:39:59

AssociatedEntity

Name

Rezwana Karim

Role

Affiliation

Rutgers University. Graduate School - New Brunswick

AssociatedObject

Type

License

Name

Author Agreement License

Detail

I hereby grant to the Rutgers University Libraries and to my school the non-exclusive right to archive, reproduce and distribute my thesis or dissertation, in whole or in part, and/or my abstract, in whole or in part, in and from an electronic format, subject to the release date subsequently stipulated in this submittal form and approved by my school. I represent and stipulate that the thesis or dissertation and its abstract are my original work, that they do not infringe or violate any rights of others, and that I make these grants as the sole owner of the rights to my thesis or dissertation and its abstract. I represent that I have obtained written permissions, when necessary, from the owner(s) of each third party copyrighted matter to be included in my thesis or dissertation and will supply copies of such upon request by my school. I acknowledge that RU ETD and my school will not distribute my thesis or dissertation or its abstract if, in their reasonable judgment, they believe all such rights have not been secured. I acknowledge that I retain ownership rights to the copyright of my work. I also retain the right to use all or part of this thesis or dissertation in future works, such as articles or books.

Status

Availability

Status

Open

Reason

Permission or license

Back to the top

Technical

RULTechMD (ID = TECHNICAL1)

ContentModel

ETD

OperatingSystem (VERSION = 5.1)

windows xp

Back to the top

Version 8.5.5