Privacy and Security for Brower Extensions: a Language-Based Approach
Ben Livshits, MSR Redmond
Popup blocking, form filling, and many other feature of modern web browsers were first introduced as third-party extensions. Extensions continue to enrich browsers in unanticipated ways. However, powerful extensions require capabilities, such as cross-domain network access and local storage, and whether buggy or malicious, can pose a security or a privacy risk. I'll discuss two projects in this space. RePriv focuses on providing personalization while maintaining in-browser user privacy. The motivation of this work comes from the observation that in today’s web there are two distinct groups, users and service providers. While the category of users is pretty clear, service providers are larger enterprises such as Amazon, Google, Microsoft, Facebook and the like. Service providers are interested in learning as much about their users as they can so that they can better target their ads or provide content personalization. At the same time, opportunities to do so are limited. Even if sites like Amazon and Facebook allow or sometimes require authentication, service providers only know as much about the user as can be gathered through interaction with the site. A user might only spend a few minutes a day on Amazon.com, for example. This is minuscule compared to the amount of time the same user spends in the browser. In this paper, we propose RePriv, a system for controlling the release of private information within the browser. We demonstrate how built-in data mining of code user interests can work in a real browser. We also propose a protocol on top of HTTP that can be used to seamlessly integrate RePriv with existing web infrastructure. We also show how pluggable miners can be used to extract more detailed information and how to check these third-party miners for privacy leaks. We evaluate RePriv in real-life scenarios: we show that RePriv mining can be done with minimal overhead to the end-user latency. We also show the efficacy of RePriv mining on real-life browsing sessions and conclude that RePriv is able to learn user preferences quickly. The second project aims to provide a general way to program browser extensions in a type-safe way and then to compile them to run on different browser platforms such as IE and Chrome. We show how to program extensions in ML and statically check them for compliance against these policies using refinement type checking. Static verification eliminates the need for costly runtime monitoring, and increases robustness since verified extensions cannot raise security exceptions. Finally, we show how to understand security policies by providing a visualization tool that highlights the impact of a policy on particular web pages.