Publication Details

Title: Hulk: Eliciting Malicious Behavior in Browser Extensions
Author: A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna and V. Paxson
Bibliographic Information: Proceedings of the 23rd USENIX Security Symposium, San Diego, California
Date: August 2014
Research Area: Networking and Security
Type: Article in conference proceedings
PDF: [Not available online]

Overview:
We present Hulk, a dynamic analysis system that detects malicious behavior in browser extensions by monitoring their execution and corresponding network activity. Hulk elicits malicious behavior in extensions in two ways. First, Hulk leverages HoneyPages , which are dynamic pages that adapt to an extension’s expectations in web page structure and content. Second, Hulk employs a fuzzer to drive the numerous event handlers that modern extensions heavily rely upon. We analyzed 48K extensions from the Chrome Web store, driving each with over 1M URLs. We identify a number of malicious extensions, including one with 5.5 million affected users, stressing the risks that extensions pose for today’s web security ecosystem, and the need to further strengthen browser security to protect user data and privacy.

Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 0831535 (“Comprehensive Application Analysis and Control”) and CNS : 1237265 (``Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"). Additional funding was provided by by the Office of Naval Research (ONR) under grant N000140911042, the Army Research Office (ARO) under grant W911NF0910553, by Secure Business Austria, and by generous gifts from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the sponsors.

Bibliographic Reference:
A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna and V. Paxson. Hulk: Eliciting Malicious Behavior in Browser Extensions. Proceedings of the 23rd USENIX Security Symposium, San Diego, California, August 2014