Article

Hulk: eliciting malicious behavior in browser extensions

Authors:

Alexandros Kapravelos,

Christopher Kruegel,

Giovanni Vigna,

Vern PaxsonAuthors Info & Claims

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

Pages 641 - 654

Published: 20 August 2014 Publication History

Abstract

We present Hulk, a dynamic analysis system that detects malicious behavior in browser extensions by monitoring their execution and corresponding network activity. Hulk elicits malicious behavior in extensions in two ways. First, Hulk leverages HoneyPages, which are dynamic pages that adapt to an extension's expectations in web page structure and content. Second, Hulk employs a fuzzer to drive the numerous event handlers that modern extensions heavily rely upon. We analyzed 48K extensions from the Chrome Web store, driving each with over 1M URLs. We identify a number of malicious extensions, including one with 5.5 million affected users, stressing the risks that extensions pose for today's web security ecosystem, and the need to further strengthen browser security to protect user data and privacy.

References

[1]

Anubis -- Malware Analysis for Unknown Binaries. http://anubis.iseclab.org/.

[2]

AMADEO, R. Adware vendors buy Chrome Extensions to send ad- and malware-filled updates. http://arstechnica.com/security/2014/01/ malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/, Jan 2014.

[3]

AMAZON. Associates Program Operating Agreement. https://affiliate-program.amazon.com/ gp/associates/agreement/, 2012.

[4]

ASSOLINI, F. Think twice before installing Chrome extensions. http://www.securelist.com/en/blog/ 208193414/Think_twice_before_installing_ Chrome_extensions, Mar 2012.

[5]

BARTH, A., FELT, A. P., SAXENA, P., AND BOODMAN, A. Protecting Browsers from Extension Vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium (NDSS) (2010).

[6]

CARLINI, N., FELT, A. P., AND WAGNER, D. An Evaluation of the Google Chrome Extension Security Architecture. In Proceedings of the USENIX Security Symposium (2012).

Digital Library

[7]

CHARLES ARTHUR. Infographic: Internet shopping. http://www.theguardian.com/technology/blog/ 2011/jul/04/internet-shopping-infographic-give-as-you-live-charity, 2011.

[8]

CHROME WEB STORE. Give as you Live. https:// chrome.google.com/webstore/detail/give-as-you-live/fceblikkhnkbdimejiaapjnijnfegnii, 2013.

[9]

COVA, M., KRUEGEL, C., AND VIGNA, G. Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In Proceedings of the World Wide Web Conference (WWW) (2010).

Digital Library

[10]

DHAWAN, M., AND GANAPATHY, V. Analyzing Information Flow in JavaScript-Based Browser Extensions. In Proceedings of the Annual Computer Security Applications Conference (ACSAC) (2009).

Digital Library

[11]

DJERIC, V., AND GOEL, A. Securing script-based extensibility in web browsers. In Proceedings of the USENIX Security Symposium (2010).

Digital Library

[12]

F-SECURE. Coremex innovates search engine hijacking. http://www.f-secure.com/weblog/archives/ 00002689.html, April 2014.

[13]

FELT, A. P., GREENWOOD, K., AND WAGNER, D. The Effectiveness of Application Permissions. In Proceedings of the USENIX Conference on Web Application Development (WebApps) (2011).

Digital Library

[14]

GIUFFRIDA, C., ORTOLANI, S., AND CRISPO, B. Memoirs of a browser: A cross-browser detection model for privacy-breaching extensions. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2012), ACM.

Digital Library

[15]

GOOGLE. What are extensions? https://developer. chrome.com/extensions/index, 2014.

[16]

GUHA, A., FREDRIKSON, M., LIVSHITS, B., AND SWAMY, N. Verified Security for Browser Extensions. In Proceedings of the IEEE Symposium on Security and Privacy (2011), IEEE, pp. 115-130.

Digital Library

[17]

KAPRAVELOS, A., SHOSHITAISHVILI, Y., COVA, M., KRUEGEL, C., AND VIGNA, G. Revolver: An Automated Approach to the Detection of Evasive Web-based Malware. In Proceedings of the USENIX Security Symposium (2013).

Digital Library

[18]

KAY, E. Protecting Chrome users from malicious extensions. http://chrome.blogspot. com/2014/05/protecting-chrome-users-from-malicious.html, May 2014.

[19]

KREIBICH, C., WEAVER, N., KANICH, C., CUI, W., AND PAXSON, V. GQ: Practical containment for measuring modern malware systems. In Proceedings of the ACM Internet Measurement Conference (IMC) (2011), ACM, pp. 397-412.

Digital Library

[20]

LI, Z., WANG, X., AND CHOI, J. Y. Spyshield: Preserving privacy from spy add-ons. In Proceedings of the Recent Advances in Intrusion Detection (RAID) (2007).

Digital Library

[21]

LIU, L., ZHANG, X., YAN, G., AND CHEN, S. Chrome Extensions: Threat Analysis and Countermeasures. In Proceedings of the Network and Distributed System Security Symposium (NDSS) (2012).

[22]

LUDWIG, P. No more silent extension installs. http://blog.chromium.org/2012/12/no-more-silent-extension-installs.html, Dec 2012.

[23]

NIKIFORAKIS, N., INVERNIZZI, L., KAPRAVELOS, A., VAN ACKER, S., JOOSEN, W., KRUEGEL, C., PIESSENS, F., AND VIGNA, G. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2012).

Digital Library

[24]

RAJAB, M. A., BALLARD, L., LUTZ, N., MAVROMMATIS, P., AND PROVOS, N. CAMP: Content-Agnostic Malware Protection. In Proceedings of the Network and Distributed System Security Symposium (NDSS) (2013).

[25]

REDDIT. Reddit: I am One of the Developers of a Popular Chrome Extension... http://www.reddit. com/r/IAmA/comments/1vjj51/i_am_one_of_the_ developers_of_a_popular_chrome/, Jan 2014.

[26]

SAXENA, P., AKHAWE, D., HANNA, S., MAO, F., MCCAMANT, S., AND SONG, D. A Symbolic Execution Framework for JavaScript. In Proceedings of the IEEE Symposium on Security and Privacy (2010).

Digital Library

[27]

TER LOUW, M., LIM, J. S., AND VENKATAKRISHNAN, V. Enhancing Web Browser Security Against Malware Extensions. Journal in Computer Virology 4, 3 (2008), 179-195.

[28]

WANG, D., SAVAGE, S., AND VOELKER, G. M. Cloak and Dagger: Dynamics of Web Search Cloaking. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011), ACM, pp. 477-490.

Digital Library

[29]

WEST, M. An Introduction to Content Security Policy. http://www.html5rocks.com/en/tutorials/ security/content-security-policy/, 2012.

Cited By

Xu XXuan ZFeng SCheng SYe YShi QTao GYu LZhang ZZhang XChandra SBlincoe KTonella P(2023)PEM: Representing Binary Program Semantics for Similarity Analysis via a Probabilistic Execution ModelProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616301(401-412)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616301
Xu XFeng SYe YShen GSu ZCheng STao GShi QZhang ZZhang XJust RFraser G(2023)Improving Binary Code Similarity Transformer Models by Semantics-Driven Instruction DeemphasisProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598121(1106-1118)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598121
Agarwal SYin HStavrou ACremers CShi E(2022)Helping or Hindering?Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560685(23-37)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560685
Show More Cited By

Hulk: eliciting malicious behavior in browser extensions
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Decidability of Innermost Termination and Context-Sensitive Termination for Semi-Constructor Term Rewriting Systems

Yi and Sakai [Y. Wang and M. Sakai. Decidability of termination for semi-constructor trss, left-linear shallow trss and related systems. In the 17th International Conference on Rewriting Techniques and Applications, volume 4098 of Lecture Notes in ...
Termination of Innermost Context-Sensitive Rewriting Using Dependency Pairs
FroCoS '07: Proceedings of the 6th international symposium on Frontiers of Combining Systems

Innermost context-sensitive rewriting has been proved useful for modeling computations of programs of algebraic languages like Maude, OBJ, etc. Furthermore, innermost termination of rewriting is often easier to prove than termination. Thus, under ...
Termination of non-simple rewrite systems

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

August 2014

1067 pages

ISBN:9781931971157

Program Chair:
Kevin Fu
University of Michigan

Sponsors

Akamai: Akamai
Google Inc.
IBMR: IBM Research
NSF
Microsoft Reasearch: Microsoft Reasearch
USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 20 August 2014

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xu XXuan ZFeng SCheng SYe YShi QTao GYu LZhang ZZhang XChandra SBlincoe KTonella P(2023)PEM: Representing Binary Program Semantics for Similarity Analysis via a Probabilistic Execution ModelProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616301(401-412)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616301
Xu XFeng SYe YShen GSu ZCheng STao GShi QZhang ZZhang XJust RFraser G(2023)Improving Binary Code Similarity Transformer Models by Semantics-Driven Instruction DeemphasisProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598121(1106-1118)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598121
Agarwal SYin HStavrou ACremers CShi E(2022)Helping or Hindering?Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560685(23-37)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560685
Trickel EStarov OKapravelos ANikiforakis NDoupé AHeninger NTraynor P(2019)Everyone is differentProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361455(1679-1696)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361455
Li VDunn MPearce PMcCoy DVoelker GSavage SLevchenko KHeninger NTraynor P(2019)Reading the tea leavesProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361398(851-867)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361398
Ife CShen YMurdoch SStringhini GGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)Waves of MaliceProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329807(168-180)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329807
Skolka PStaicu CPradel M(2019)Anything to Hide? Studying Minified and Obfuscated Code in the WebThe World Wide Web Conference10.1145/3308558.3313752(1735-1746)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313752
Starov OLaperdrix PKapravelos ANikiforakis N(2019)Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloatThe World Wide Web Conference10.1145/3308558.3313458(3244-3250)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313458
Shu XAraujo FSchales DStoecklin MJang JHuang HRao JLie DMannan MBackes MWang X(2018)Threat Intelligence ComputingProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243829(1883-1898)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243829
Chen QKapravelos ALie DMannan MBackes MWang X(2018)MystiqueProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243823(1687-1700)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243823
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents