T-Space at The University of Toronto Libraries >
School of Graduate Studies - Theses >
Please use this identifier to cite or link to this item:
|Title: ||Securing Script-based Extensibility in Web Browsers|
|Authors: ||Djeric, Vladan|
|Advisor: ||Goel, Ashvin|
|Department: ||Electrical and Computer Engineering|
|Keywords: ||web browser|
|Issue Date: ||15-Jan-2010|
|Abstract: ||Web browsers are increasingly designed to be extensible to keep up with the Web's rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from untrusted web pages. Unfortunately, this powerful combination creates the threat of privilege escalation attacks that grant web page scripts the full privileges of script extensions and control over the entire browser process.
This thesis describes the pitfalls of script-based extensibility based on our study of the Firefox Web browser, and is the first to offer a classification of script-based privilege escalation vulnerabilities. We propose a taint-based system to track the spread of untrusted data in the browser and to detect the characteristic signatures of privilege escalation attacks. We show that this approach is effective by testing our system against exploits in the Firefox bug database and finding that it detects the vast majority of attacks with no false alarms.|
|Appears in Collections:||Master|
The Edward S. Rogers Sr. Department of Electrical & Computer Engineering - Master theses
Items in T-Space are protected by copyright, with all rights reserved, unless otherwise indicated.