Bilkent University
Department of Computer Engineering


Securing Firefox Extensions


Mustafa Battal
MSc Student
Computer Engineering Department
Bilkent University

A poorly designed web browser extension with a security vulnerability may expose the whole system to an attacker. Therefore, attacks directed at \benign-but-buggy” extensions, as well as extensions that have been written with malicious intents pose signi cant security threats to a system running such components. Recent studies have in-deed shown that many Firefox extensions are over-privileged, making them attractive attack targets. Unfortunately, users currently do not have many options when it comes to protecting themselves from exten- sions that may potentially be malicious. Once installed and executed, the extension needs to be trusted. This paper introduces Sentinel, a policy enforcer for the Firefox browser that gives ne-grained control to the user over the actions of existing JavaScript Firefox extensions. The user is able to de ne policies (or use prede ned ones) and block common attacks such as data ex ltration, remote code execution, saved password theft, and preference modi cation. Our evaluation of Sentinel shows that our prototype implementation can e ectively prevent concrete, real-world Firefox extension attacks without a detrimental impact on users' browsing experience.


DATE: 18 March, 2013, Monday @ 16:10