摘要
There are a large number of extensions with many users in Google Chrome,which greatly enriches the functionalities of Chrome.However,due to inadequate security auditing,vulnerable updating mechanisms and time-delayed maintenance of Chrome Web Store,the store becomes a platform for attackers to distribute malicious extensions.Existing static analysis methods can hardly detect obfuscated codes and dynamic codes injected by extensions,while dynamic detection methods have low coverage due to the need to meet various constraints when extensions are being executed.We propose a method to analyze Chrome extension behaviors dynamically based on direct execution of Java Script(JS).The core idea of this method is to convert the analysis of the whole extension into the analysis of each JS in the extension,bypassing the constraints(e.g.language,region,URL)of the extension itself,and improving the coverage of detection.The analysis of more than 44000 extensions showed that the method can effectively identify predefined behaviors.Among them,20 extensions had access to malicious domains,1113 extensions injected advertisements and 381 extensions collected users’passwords or cookies.At the same time,the number of URL requests obtained from this method is 177893,which is 52.44%more than that from traditional dynamic analysis method.
基金
the National Natural Science Foundation of China(61972297,U1636107)。
