Hulk: Eliciting Malicious Behavior in Browser Extensions

Alexandros Kapravelos; Chris Grier; Neha Chachra; Christopher Kruegel; Giovanni Vigna; Vern Paxson

Friday, July 25, 2014 - 5:30pm

Authors:

Alexandros Kapravelos, University of California, Santa Barbara; Chris Grier, University of California, Berkeley, and International Computer Science Institute; Neha Chachra, University of California, San Diego; Christopher Kruegel and Giovanni Vigna, University of California, Santa Barbara; Vern Paxson, University of California, Berkeley, and International Computer Science Institute

Abstract:

We present Hulk, a dynamic analysis system that detects malicious behavior in browser extensions by monitoring their execution and corresponding network activity. Hulk elicits malicious behavior in extensions in two ways. First, Hulk leverages HoneyPages, which are dynamic pages that adapt to an extension’s expectations in web page structure and content. Second, Hulk employs a fuzzer to drive the numerous event handlers that modern extensions heavily rely upon. We analyzed 48K extensions from the Chrome Web store, driving each with over 1M URLs. We identify a number of malicious extensions, including one with 5.5 million affected users, stressing the risks that extensions pose for today’s web security ecosystem, and the need to further strengthen browser security to protect user data and privacy.

Alexandros Kapravelos, University of California, Santa Barbara

Chris Grier, University of California, Berkeley, and International Computer Science Institute

Neha Chachra, University of California, San Diego

Christopher Kruegel, University of California, Santa Barbara

Giovanni Vigna, University of California, Santa Barbara

Vern Paxson, University of California, Berkeley, and International Computer Science Institute

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX

@inproceedings {184485,
author = {Alexandros Kapravelos and Chris Grier and Neha Chachra and Christopher Kruegel and Giovanni Vigna and Vern Paxson},
title = {Hulk: Eliciting Malicious Behavior in Browser Extensions},
booktitle = {23rd USENIX Security Symposium (USENIX Security 14)},
year = {2014},
isbn = {978-1-931971-15-7},
address = {San Diego, CA},
pages = {641--654},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kapravelos},
publisher = {USENIX Association},
month = aug,
}

Download

Kapravelos PDF

View the slides