TY - GEN
T1 - Large-scale detection of privacy leaks for BAT browsers extensions in China
AU - Zhao, Yufei
AU - He, Longtao
AU - Li, Zhoujun
AU - Yang, Liqun
AU - Dong, Hao
AU - Li, Chao
AU - Wang, Yu
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/7
Y1 - 2019/7
N2 - Although browser extensions bring users a better experience, it creates a hidden danger of privacy leakage. A common privacy leakage detection method is realized through detecting private data transmission. However, only the unintended transmission is considered to be a privacy leak. Therefore, the real challenge is to determine whether or not the transmission is user intended. In order to address this problem, we check the rationality of private data transmission by establishing a privacy model based on classification for extensions to confirm the scope of private data that can be uploaded and domains that can be sent to. Furthermore, we present BEDS (Browser Extension Detection System), a Chromium based extension dynamic detection system. BEDS first builds a privacy model for each extension and then records the extension's network logs and browser API logs when accessing specified pages. Finally, BEDS determines whether there exists a privacy leak according to the strict privacy leakage judgment rules. We test our implementation in large scale on extensions in browsers developed by China's three major Internet companies and complete 15 months of continuous tracking. After examining a total of 14,487 extensions, 1,897 privacy leaks are identified, all results have been inspected by manual and the accuracy of BEDS is over 97%. A number of domains that illegally collect private user data are discovered and tracked. Our results show that about 47,000 Chinese IPs upload private information to suspicious servers every day.
AB - Although browser extensions bring users a better experience, it creates a hidden danger of privacy leakage. A common privacy leakage detection method is realized through detecting private data transmission. However, only the unintended transmission is considered to be a privacy leak. Therefore, the real challenge is to determine whether or not the transmission is user intended. In order to address this problem, we check the rationality of private data transmission by establishing a privacy model based on classification for extensions to confirm the scope of private data that can be uploaded and domains that can be sent to. Furthermore, we present BEDS (Browser Extension Detection System), a Chromium based extension dynamic detection system. BEDS first builds a privacy model for each extension and then records the extension's network logs and browser API logs when accessing specified pages. Finally, BEDS determines whether there exists a privacy leak according to the strict privacy leakage judgment rules. We test our implementation in large scale on extensions in browsers developed by China's three major Internet companies and complete 15 months of continuous tracking. After examining a total of 14,487 extensions, 1,897 privacy leaks are identified, all results have been inspected by manual and the accuracy of BEDS is over 97%. A number of domains that illegally collect private user data are discovered and tracked. Our results show that about 47,000 Chinese IPs upload private information to suspicious servers every day.
KW - BAT browsers extensions
KW - Large-scale detection
KW - Privacy leaks
UR - https://www.scopus.com/pages/publications/85076953551
U2 - 10.1109/TASE.2019.00-19
DO - 10.1109/TASE.2019.00-19
M3 - 会议稿件
AN - SCOPUS:85076953551
T3 - Proceedings - 2019 13th International Symposium on Theoretical Aspects of Software Engineering, TASE 2019
SP - 57
EP - 64
BT - Proceedings - 2019 13th International Symposium on Theoretical Aspects of Software Engineering, TASE 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 13th International Symposium on Theoretical Aspects of Software Engineering, TASE 2019
Y2 - 29 July 2019 through 31 July 2019
ER -