test Browse by Author Names Browse by Titles of Works Browse by Subjects of Works Browse by Issue Dates of Works

Advanced Search
& Collections
Issue Date   
Sign on to:   
Receive email
My Account
authorized users
Edit Profile   
About T-Space   

T-Space at The University of Toronto Libraries >
School of Graduate Studies - Theses >
Master >

Please use this identifier to cite or link to this item: http://hdl.handle.net/1807/18281

Title: Securing Script-based Extensibility in Web Browsers
Authors: Djeric, Vladan
Advisor: Goel, Ashvin
Department: Electrical and Computer Engineering
Keywords: web browser
browser extensions
privilege escalation
Issue Date: 15-Jan-2010
Abstract: Web browsers are increasingly designed to be extensible to keep up with the Web's rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from untrusted web pages. Unfortunately, this powerful combination creates the threat of privilege escalation attacks that grant web page scripts the full privileges of script extensions and control over the entire browser process. This thesis describes the pitfalls of script-based extensibility based on our study of the Firefox Web browser, and is the first to offer a classification of script-based privilege escalation vulnerabilities. We propose a taint-based system to track the spread of untrusted data in the browser and to detect the characteristic signatures of privilege escalation attacks. We show that this approach is effective by testing our system against exploits in the Firefox bug database and finding that it detects the vast majority of attacks with no false alarms.
URI: http://hdl.handle.net/1807/18281
Appears in Collections:Master
The Edward S. Rogers Sr. Department of Electrical & Computer Engineering - Master theses

Files in This Item:

File Description SizeFormat
Djeric_Vladan_200911_MASc_thesis.pdf217.56 kBAdobe PDF

Items in T-Space are protected by copyright, with all rights reserved, unless otherwise indicated.