Towards Fine-Grained Access Control on Browser Extensions

  • Lei Wang
  • Ji Xiang
  • Jiwu Jing
  • Lingchen Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7232)


We propose a practical and fine-grained browser extension access control framework, which regulates the misbehavior of JSEs with malicious intent at run time by means of restricting the access to resources, in order to prevent the malicious JSEs from ruining users security. The resource access of a JSE, which constrains its behavior, is the basis of the functionalities of it. Instead of the conventional static access control rules, we formulate the fine-grained access control policies dynamically in the framework while JSEs are executing within Firefox, which makes our framework more flexible and practical in real-world use. We tested 100 popular JSEs on AMO to evaluate the compatibility of our framework, and found that only two of them are not compatible due to their sensitive behavior. To evaluate the capability of restraining the misbehavior of JSEs, we tested ten malicious ones and the results show that all of them are blocked by our framework before they actually misbehave.


framework fine-grained access control dynamic regulation ordinal resource access 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
    Djeric, V., Goel, A.: Securing script-based extensibility in web browsers. In: USENIX Security (2010)Google Scholar
  4. 4.
    Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: 2009 Annual Computer Security Applications Conference, pp. 382–391. IEEE (2009)Google Scholar
  5. 5.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. Journal in Computer Virology 4(3), 179–195 (2008)CrossRefGoogle Scholar
  7. 7.
    Barth, A., Felt, A., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proceedings of the 17th Network and Distributed System Security Symposium (NDSS), San Diego, CA, Citeseer (2010)Google Scholar
  8. 8.
  9. 9.
  10. 10.
    Ffsniff: Firefox sniffer (June 2008),
  11. 11.
  12. 12.
  13. 13.
    Mozilla addons blocklist,
  14. 14.
  15. 15.
  16. 16.
  17. 17.
    Bandhakavi, S., King, S., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX Security (2010)Google Scholar
  18. 18.
    Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with vex. Communications of the ACM 54(9), 91–99 (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Lei Wang
    • 1
  • Ji Xiang
    • 1
  • Jiwu Jing
    • 1
  • Lingchen Zhang
    • 1
  1. 1.State Key Lab of Information SecurityGraduate University of CASChina

Personalised recommendations