隨著網際網路的多元化發展，僅具備瀏覽功能的瀏覽器已不敷使用，故越來越多的瀏覽器開始被設計成支援「擴充套件(Extension)」的架構，使用者可以藉由安裝擴充套件來新增或修改瀏覽器的能力。擴充套件利用瀏覽器所提供的應用程式介面(Application Programming Interface, API)來存取本機端網頁上的資料並與外界溝通。
良性的擴充套件可以修改或新增瀏覽器上的功能，藉此使用者可自行選擇所需的擴充套件來改善網路服務的使用品質。由於擴充套件具備高權限的特性，故使用者無意間安裝惡意擴充套件時，將可能導致使用者電腦的安全性及隱私受到損害，如：使用者在瀏覽器上進行的各類隱私活動或機敏檔案可能遭到盜取。
為了解決惡意擴充套件的安全問題，本論文設計一個協助使用者的瀏覽器惡意擴充套件行為分析平台(Malicious Behavior Analysis Platform for Browser Extensions, MBAPBE)架構，在使用者安裝不信任的擴充套件前，可選擇將該擴充套件送往分析平台進行分析，此分析平台將會提供「行為分析報表」予使用者，其可依據報表之建議決定是否安裝此擴充套件，藉此降低使用者遭受惡意擴充套件威脅。為此，本分析平台使用(1)監控模組及(2)分析模組以判斷該擴充套件是否為惡意，此外為驗證平台正確性，我們實際分析Firefox的附加元件網站(Addons.Mozilla.Org, AMO)下載前一百名的良性擴充套件以及六個惡意擴充套件。本論文的貢獻在於定義惡意擴充套件的行為，以及提出一個可行的解決辦法來保護使用者免於遭受惡意擴充套件的影響。

With the Web’s rapid pace of change, default browser functionality is no longer enough, and more and more browsers are designed to support “extensions”. Users can extend browser capabilities by installing extensions to their browser. Extensions use the browser API (Application Programming Interface) to access the content of the web page and communicate with remote servers. Benign extensions improve the user browsing experience. However, installing malicious extensions may cause sensitive information to be revealed.
In this thesis, a Malicious Behavior Analysis Platform for Browser Extensions (MBAPBE) is designed and implemented to help users verify whether extensions are benign or malicious. The user submits an untrusted extension to MBAPBE, and an analysis report will be generated for the user. Based on this report, user can make an informed decision regarding extension installation, and consequently reduce the chance of installing malicious extensions. We provide a (1) monitoring module and a (2) analysis module to determine whether an extension is malicious or not. For verifying the accuracy of MBAPBE, we have analyzed the Firefox top 100 benign extensions from AMO (Addons.Mozilla.Org) and 6 malicious extensions. The contribution of this thesis is to define malicious behavior of extensions, and provide a feasible solution to protect the users from installing malicious extensions.

[1] Ant, “Botfox – Botnet based on Browser and Social Engineering,” Hacks in Taiwan Conference 2009.
[2] S. Bandhakavi, S. T. King, P. Madhusudan and M. Winslett, “VEX: Vetting Browser Extensions For Security Vulnerabilities,” In: 19th USENIX Security Symposium, 2010.
[3] A. Barth, A. P. Felt, P. Saxena, and A. Boodman, “Protecting Browsers from Extension Vulnerabilities,” Proceedings of the 17th Network and Distributed System Security Symposium (NDSS 2010), 2010.
[4] D. Brumley, C. Hartwig, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin, “BitScope: Automatically Dissecting Malicious Binaries”, Technical Report CMU-CS-07-133, School of Computer Science, Carnegie Mellon University, March 18, 2007
[5] R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. “Staged information flow for JavaScript,” In M. Hind and A. Diwan, editors, PLDI, pages 50–62. ACM, 2009.
[6] M. Dhawan and V. Ganapathy, “Analyzing information flow in JavaScript-based browser extensions,” Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009), On page(s): 382-391, 2009.
[7] V. Djeric and A. Goel, “Securing Script-Based Extensibility in Web Browsers,” In: 19th USENIX Security Symposium, 2010.
[8] P. Ferrie, “Attacks on Virtual Machine Emulators,” Symantec Advanced Threat Research, 2006.
[9] C. Grier, S. T. King, D. S. Wallach, “How I Learned to Stop Worrying and Love Plugins,” Web 2.0 Security and Privacy (W2SP 2009), 2009.
[10] S. Guarnieri and B. Livshits, “Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code,” In Proceedings of USENIX Security ’09, pages 151–168, 2009.
[11] M. T. Louw, J. S. Lim and V. Venkatakrishnan, “Extensible web browser security,” In: 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), 2007.
[12] M. T. Louw, J. S. Lim and V. Venkatakrishnan, “Enhancing web browser security against malware extensions,” Journal of Computer Virology, 4(3), On page(s): 179-195, 2008.
[13] H. Kikuchi, D. Yu, A. Chander, H. Inamura and I. Serikov, “JavaScript instrumentation in practice,” In APLAS ’08, pages 326–341, 2008.
[14] H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter, “The Multi-Principal OS Construction of the Gazelle Web Browser,” MSR technical report MSR-TR-2009-16, Redmond, WA, 2009.
[15] B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, “Native client: A sandbox for portable, untrusted x86 native code,” In Proceedings of the IEEE Symposium on Security and Privacy, 2009.
[16] Addons.Mozilla.Org, https://addons.mozilla.org/
[17] AMO Validation Help, https://addons.mozilla.org/zh-TW/firefox/pages/validation
[18] Apple Safari, http://www.apple.com/safari/
[19] AutoIt , http://www.autoitscript.com/autoit3/index.shtml
[20] BBC: Microsoft offers browser choices to Europeans, http://news.bbc.co.uk/2/hi/technology/8537763.stm
[21] DiffUtils for Windows, http://gnuwin32.sourceforge.net/packages/diffutils.htm
[22] FFsniFF: FireFox sniffer, http://azurit.elbiahosting.sk/ffsniff
[23] Google Chrome, http://www.google.com/chrome/
[24] Google Chrome OS, http://www.chromium.org/chromium-os
[25] Internet Explorer, http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
[26] IE8 and Loosely-Coupled IE (LCIE), http://blogs.msdn.com/ie/archive/2008/03/11/ie8-and-loosely-coupled-ie-lcie.aspx
[27] Internet Users in the World Growth 1995 – 2010, http://www.internetworldstats.com/emarketing.htm
[28] Live HTTP Headers, https://addons.mozilla.org/zh-TW/firefox/addon/3829/
[29] makeuseof.com: 6 Reasons Why Mozilla Firefox Is Safe Compared To Internet Explorer, http://www.makeuseof.com/tag/6-reasons-why-firefox-is-safer-than-internet-explorer/
[30] Malware Domain List, http://www.malwaredomainlist.com/
[31] MITRE Honeyclient Project, http://www.honeyclient.org/trac
[32] Mozilla Developer Network Code snippets, http://developer.mozilla.org/en/docs/Code_snippets
[33] Mozilla Electrolysis, https://wiki.mozilla.org/Electrolysis
[34] Mozilla Firefox Browser, http://moztw.org/firefox/
[36] Process Monitor, http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
[37] SecurityFocus, http://www.securityfocus.com/vulnerabilities
[38] Shadowserver, http://www.shadowserver.org/wiki/
[39] StatCounter global browser usage statistics from January 2009 to February 2010, http://www.statcounter.com/
[40] StopBadware, http://stopbadware.org/
[41] The Joy of XUL, https://developer.mozilla.org/zh_tw/The_Joy_of_XUL
[42] URLVoid, http://www.urlvoid.com/
[43] VirusTotal, http://www.virustotal.com/
[44] VMware, http://www.vmware.com/
[45] Wayne Huang, “Web-based Malware obfuscation: the kung-fu and the detection,” OWASP, 2008
[46] WebKit2 - High Level Document, http://trac.webkit.org/wiki/WebKit2
[47] WGET for Windows (win32), http://users.ugent.be/~bpuype/wget/
[48] Wikipedia, http://en.wikipedia.org/