•   When: Wednesday, May 02, 2018 from 09:00 AM to 11:00 AM
•   Speakers: Wentao Chang
•   Location: ENGR 4201
•   Export to iCal

Many browser extensions process sensitive information, such as bookmarks and browsing history that are available from the browsers, and social security number and password that are shown on web pages. Thus, an increasing interest has been growing among attackers to exploit this new attacking platform to compromise browser security. The most common attacks from malicious extensions include accessing users’ sensitive information and leaking them to unauthorized third parties. Some recent studies discussed the possible attacks launched from malicious extensions but few proposed practical solutions to address the issue. This dissertation aims to protect data security and user privacy against malicious extensions that launch information dispersion or harvesting attacks.

Towards this end, we first examine the state-of-the-art browser extension security models and identify security gaps we aim to mind. As a result, we successfully identify the sources of information leakage in the context of Chrome browser. Next we design and implement iObfus, an information leakage prevention system that defeats information dispersion attacks by statically applying data obfuscation techniques. With iObfus, sensitive information is classified and obfuscated statically. In this way, the users' sensitive information is always protected even if information leakage occurs. Finally, we build ExtensionGuard, an optimized and customizable dynamic taint tracking approach to mitigate the information leakage threats. Using static analysis to identify sensitive information and potential sources of leakage, ExtensionGuard can closely track the sensitive information processed by browser extensions, and detect any information leakage events at runtime with a small performance overhead incurred.