Facebook awards Chalmers web security research

Facebook has acknowledged the work of Chalmers researcher Andrei Sabelfeld and his team, supporting research on improving the security of browser extensions.

Chalmers researcher Andrei Sabelfeld received an e-mail reading "We have decided to give you an unrestricted gift of $ 30,000". Not an entirely unusual sentence in the days of frequent Internet fraud, but this time it proved to be true. The mail came from Facebook, and the research project which they have taken an interest in aims to develop tools that will enable websites to detect whether visitors have browser extensions installed.

“Browser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise important security questions. From the point of view of a website, some browser extensions are invasive, removing intended features and adding unintended ones” says Andrei Sabelfeld.

In some aspects the interests of the involved parties (users, website owners and providers of browser extensions) collide. The user installs extensions for their needs and wants, which may be the use of smileys, to block ads, keep track of passwords for different sites and services and so on. The provider of extensions may want to be able to assure the user that the extension works to, for example, block all ads. On the other hand, anyone with a website that provides a service may want to be able to control what happens in the visitor's browser. A bank or authority may not want an extension to handle their data, and Facebook, for example, may not want an extension to take control over which ads should be displayed.

“We will develop the dual measures of making extension detection easier in the interest of websites and making extension finding more difficult in the interest of extensions” says Andrei Sabelfeld “and in the next step we will investigate a browser architecture that allows a user to take control in arbitrating the conflicting security goals.”

This means that for example a bank may request to be very restrictive, and only allow certain extensions, denying all others. In that case, the browser will present the user with the option to run only the permitted extensions, and disable all others for that site.


Contact

Professor Andrei Sabelfeld, Software Technology division, Computer Science and Engineering.
andrei@chalmers.se​​​
Phone: +46 31 772 10 18

Published: Sun 11 Dec 2016. Modified: Fri 16 Dec 2016