Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Workshop Organizers
  • Workshop Program
  • Sponsorship
  • Instructions for Participants
  • Call for Papers
  • Past Workshops

sponsors

Bronze Sponsor
Bronze Sponsor
Bronze Sponsor

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » The Most Dangerous Code in the Browser
Tweet

connect with us

The Most Dangerous Code in the Browser

Tuesday, May 19, 2015 - 3:30pm-4:00pm
Authors: 

Stefan Heule and Devon Rifkin, Stanford University; Alejandro Russo,Chalmers University of Technology; Deian Stefan, Stanford University

Abstract: 

Browser extensions are ubiquitous. Yet, in today’s browsers, extensions are the most dangerous code to user privacy. Extensions are third-party code, like web applications, but run with elevated privileges. Even worse, existing browser extension systems give users a false sense of security by considering extensions to be more trustworthy than web applications. This is because the user typically has to explicitly grant the extension a series of permissions it requests, e.g., to access the current tab or a particular website. Unfortunately, extensions developers do not request minimum privileges and users have become desensitized to install-time warnings. Furthermore, permissions offered by popular browsers are very broad and vague. For example, over 71% of the top-500 Chrome extensions can trivially leak the user’s data from any site. In this paper,we argue for new extension system design, based on mandatory access control, that protects the user’s privacy from malicious extensions. A system employing this design can enable a range of common extensions to be considered safe, i.e., they do not require user permissions and can be ensured to not leak information, while allowing the user to share information when desired. Importantly, such a design can make permission requests a rarity and thus more meaningful.

Stefan Heule, Stanford University

Devon Rifkin, Stanford University

Alejandro Russo, Chalmers University of Technology

Deian Stefan, Stanford University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {189926,
author = {Stefan Heule and Devon Rifkin and Alejandro Russo and Deian Stefan},
title = {The Most Dangerous Code in the Browser},
booktitle = {15th Workshop on Hot Topics in Operating Systems (HotOS XV)},
year = {2015},
address = {Kartause Ittingen, Switzerland},
url = {https://www.usenix.org/conference/hotos15/workshop-program/presentation/heule},
publisher = {USENIX Association},
month = may,
}
Download
Heule PDF
View the slides
  • Log in or    Register to post comments

Bronze Sponsors

© USENIX

  • Privacy Policy
  • Contact Us