資料載入處理中...
圖書館首頁
|
網站地圖
|
首頁
|
本站說明
|
聯絡我們
|
相關資源
|
台聯大論文系統
|
操作說明
|
English
簡易查詢
進階查詢
論文瀏覽
熱門排行
我的研究室
上傳論文
建檔說明
常見問題
帳號:guest(3.138.170.161)
離開系統
字體大小:
詳目顯示
第 1 筆 / 共 1 筆
/1
頁
以作者查詢圖書館館藏
、
以作者查詢臺灣博碩士論文系統
、
以作者查詢全國書目
論文基本資料
摘要
外文摘要
論文目次
參考文獻
電子全文
作者(中文):
陳亭翰
作者(外文):
Chen, Ting-Han
論文名稱(中文):
瀏覽器擴充功能靜態檢測系統
論文名稱(外文):
A Static Analysis System on Browser Extensions
指導教授(中文):
孫宏民
指導教授(外文):
Sun, Hung-Min
口試委員(中文):
黃世昆
許富皓
口試委員(外文):
Huang, Shih-Kun
Hsu, Fu-Hau
學位類別:
碩士
校院名稱:
國立清華大學
系所名稱:
資訊工程學系
學號:
106062533
出版年(民國):
108
畢業學年度:
107
語文別:
英文
論文頁數:
44
中文關鍵詞:
瀏覽器擴充功能
、
靜態分析
、
網頁安全
外文關鍵詞:
Browser Extensions
、
Static Analysis
、
Web Security
相關次數:
推薦:0
點閱:527
評分:
下載:0
收藏:0
隨著網路的蓬勃發展,大多數的網路使用者透過瀏覽器來閱覽各式網站。為了提升使用者於瀏覽網頁時的方便性以加強使用者體驗,各瀏覽器先後提出了擴充功能的概念以供人製作及使用。然而,擴充功能如同網頁一般,亦存在著隱私洩漏、敏感性資料傳輸等風險;或者其本身就是一個惡意擴充功能,原來的目的即為竊取資料而被製作出來;又或者一個本身無害的擴充功能經過第三方竄改而成為惡意擴充功能。
在此篇研究中,我們的系統將對目標擴充功能進行程式碼掃描,並針對掃描得出的特徵與建置於系統中的manifest、HTML 及JavaScript 的向量進行比對及靜態分析;其中manifest 主要針對基本設定以及權限部分進行檢查,而HTML及JavaScript 則針對跨站腳本攻擊等攻擊方式進行可能引發的漏洞偵測及預防。產生的報表除了顯示可能產生漏洞的特徵及其相對的嚴重程度之外,亦會指出其位於目標擴充功能的位置以及相關描述,以幫助使用者對該風險進行評估並能有更進一步的認識。此外,對於某些設定上的風險,此系統亦會對其進行適當設定的建議,以供擴充功能製作者參考。
With vigorous growth of the Internet, most network users access websites through browsers. In order to extend user’s convenience in browsing web pages thus enhance user experience, browsers have proposed the concept of browser extension for people to produce and use. However, as with common websites, there are risks of user privacy exposure and sensitive data transmission in browser extensions. Extension itself may also be malicious, which was made with original intention of stealing privacy information. It is also possible that a benign browser extension becomes a malicious extension after third-party tampering.
In this study, we construct a system that scan through the code of the extension and carry out static analysis and comparison of the extracted features with vectors. The vectors built in the system are related to manifest, HTML, and JavaScript. Vectors about manifest are mainly for basic setting and permission checking, while those about HTML and JavaScript are for inspection and prevention of web site attack like cross-site scripting (XSS). Apart from features that may cause vulnerabilities and their level of severity, the report produced by the system will point out the position of the feature in the extension and its related description to help users carry out risk assessment and obtain better understanding of possible vulnerabilities. Moreover, for the settings that may cause vulnerabilities, our system will also make suggestions for appropriate settings, which can serve as the reference for extension developers.
Table of Contents---------------------------i
List of Figures-----------------------------iii
List of Tables------------------------------iv
1 Introduction------------------------------1
1.1 Motivation------------------------------2
1.2 Contribution----------------------------2
1.3 Organization----------------------------3
2 Background--------------------------------4
2.1 Browser Extension-----------------------4
2.2 Extension Manifest File-----------------5
2.3 Cross-Site Scripting (XSS)--------------6
2.3.1 Non-persistent XSS--------------------7
2.3.2 Persistent XSS------------------------7
2.3.3 DOM-based XSS-------------------------7
2.4 Sinks in DOM-based XSS------------------9
2.4.1 Document sink-------------------------10
2.4.2 Location sink-------------------------10
2.4.3 Execution sink------------------------11
3 Related Works-----------------------------13
4 System Design-----------------------------15
4.1 Goal------------------------------------15
4.2 Framework-------------------------------16
4.2.1 Initialization stage------------------16
4.2.2 Analysis stage------------------------17
4.2.3 Report stage--------------------------19
5 Implementation----------------------------20
5.1 System Requirement----------------------20
5.2 Tools-----------------------------------21
5.2.1 Node.js modules-----------------------21
5.2.2 HTML Parser---------------------------22
5.2.3 wkhtmltopdf---------------------------22
5.3 System Details--------------------------22
5.3.1 Severity level classification---------22
5.3.2 Manifest analysis---------------------24
5.3.3 HTML analysis-------------------------28
5.3.4 JavaScript analysis-------------------31
5.3.5 Report--------------------------------32
6 System Evaluation-------------------------37
6.1 Experiment Design-----------------------37
6.1.1 Environment and settings--------------37
6.1.2 Sample test set-----------------------38
6.2 Experimental Result---------------------39
7 Conclusion--------------------------------40
7.1 Conclusion------------------------------40
7.2 Future Works----------------------------41
Bibliography--------------------------------42
[1] Chrome web store.https://chrome.google.com/webstore/category/extensions.
[2] Opera addons. https://addons.opera.com.
[3] Trustworthy chrome extensions, by default. https://security.googleblog.com/2018/10/trustworthy-chrome-extensions-by-default.html.
[4] Wikipedia: Browser extension.https://en.wikipedia.org/wiki/Browser_extension.
[5] Wikipedia: Html. https://en.wikipedia.org/wiki/HTML.
[6] Wikipedia: Cascading style sheets.https://en.wikipedia.org/wiki/Cascading_Style_Sheets.
[7] Wikipedia: Javascript. https://en.wikipedia.org/wiki/JavaScript.
[8] Malicious chrome extensions enable criminals to impact half a million usersand global businesses. https://atr-blog.gigamon.com/2018/01/18/malicious-chrome-extensions-enable-criminals-to-impact-half-a-million-users-and-global-businesses/.
[9] Google chrome extension developer guide: Manifest file format.https://developers.chrome.com/extensions/manifest.
[10] Mozilla firefox extension developer guide: manifest.json.https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json.
[11] Opera extension developer guide: Manifest files.https://dev.opera.com/extensions/manifest/.
[12] Wikipedia: Cross-site scripting.https://en.wikipedia.org/wiki/Cross-site_scripting.
[13] Dom based xss. https://www.owasp.org/index.php/DOM_Based_XSS.
[14] Wikipedia: Document object model.https://en.wikipedia.org/wiki/Document_Object_Model.
[15] Dom-based xss–the 3 sinks.https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/.
[16] Javascript eval() function.https://www.w3schools.com/jsref/jsref_eval.asp.
[17] Nicolas, Golubovic : Attacking browser extensions (May 2016).https://golubovic.net/thesis/master.pdf.
[18] Sanchez-Rola Iskander, Santos Igor, and Balzarotti Davide. Extensionbreakdown: Security analysis of browsers extension resources control policies.In Proceedings of the 26th USENIX Security Symposium, pages 679–694,August 2017.
[19] Roy Sudakshina, Singha and K.P. Jevitha. Cbeat: Chrome browser extensionanalysis tool. In S. Thampi, G. Martínez, Pérez, C. Westphall, J. Hu, C. Fan,and F. Gómez, Mármol, editors, Communications in Computer andInformation Science, volume 746, pages 364–378, Singapore, November 2017.Springer.
[20] Node.js documentation: child_process.https://nodejs.org/api/child_process.html.
[21] Npm package: express. https://www.npmjs.com/package/express.
[22] Node.js documentation: fs. https://nodejs.org/api/fs.html.
[23] Npm package: formidable. https://www.npmjs.com/package/formidable.
[24] Node.js documentation: http. https://nodejs.org/api/http.html.
[25] Html parser in python.https://docs.python.org/3/library/html.parser.html.
[26] wkhtmltopdf official website. https://wkhtmltopdf.org/.
[27] Owasp top ten project.https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
[28] Google chrome extension developer guide.https://developers.chrome.com/extensions.
[29] Mozilla firefox extension developer guide. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions.
[30] Opera extension developer guide. https://dev.opera.com/extensions/.
[31] Microsoft edge extension developer guide. https://docs.microsoft.com/en-us/microsoft-edge/extensions/guides.
[32] Microsoft store. https://www.microsoft.com/en-us/store/b/home.
(此全文未開放授權)
電子全文
中英文摘要
推文
當script無法執行時可按︰
推文
推薦
當script無法執行時可按︰
推薦
評分
當script無法執行時可按︰
評分
引用網址
當script無法執行時可按︰
引用網址
轉寄
當script無法執行時可按︰
轉寄
top
相關論文
1.
用於實現秘密分享方法之具多項式時間複雜度的分解構建法
2.
基於特徵點之數位影像版權保護
3.
無線感知網路上具能量節約特性之安全路徑繞送協定的研究
4.
使用API監測系統對抗蠕蟲與惡意程式之研究
5.
無線感知網路之金鑰管理研究
6.
適用於無線感知網路安全群組通訊之具有效性及擴充性的金鑰管理方法
7.
基於身份與以隱私為主體的數位版權管理系統之研究
8.
A Study of Arithmetic Codes for Joint Encryption and Compression
9.
A Study of Key Management Mechanism for Content Access Control in Pay-TV Broadcasting Systems
10.
RSA金鑰產生器之後門研究
11.
基於微軟作業系統API掛勾之Shellcodes偵測之研究
12.
A Study on Lightweight Authentication Protocols for RFID
13.
多重服務環境下抵擋TCP SYN Flooding DDoS 攻擊之入侵防禦系統
14.
On the Design and Cryptanalysis of Efficient RSA Variants
15.
高可靠度網路資料傳輸與驗證
簡易查詢
|
進階查詢
|
論文瀏覽
|
熱門排行
|
管理/審核者登入