Facebook is investing in academic research to improve privacy technology. Andrei Sabelfeld’s project on securing browser extensions is one of the winners of the Facebook research award in privacy-enhancing technology.
Browser extensions are small programs that add new features to browsers and personalize the browsing experience. They greatly empower user experience on today’s web, with popular extensions like AdBlock having over 10 million downloads.
Yet due to their elevated privileges, browser extensions pose major privacy and security challenges. Companies like Google and Facebook have often fallen victims to malicious extensions injecting fake content, such as fake ads, and stealing user information.
“To address these privacy and security challenges, our research deploys a range of techniques from sandboxing to information-flow and data-flow analysis for detecting malicious and vulnerable extensions. We look forward to collaborating with Facebook on this challenging and exciting topic” says Andrei Sabelfeld, professor in information security.
Andrei’s research focuses on a range of topics within information security, like web, software, and language-based security. His signature research at Chalmers on information-flow control for JavaScript is an excellent fit for analyzing the code of browser extensions.
“Thanks to our analysis we can track if a malicious extension tries to leak user credentials to third parties or if a web page tries to exploit a vulnerability in a browser extension. Because both web pages and browser extensions are written in the JavaScript programming language, our approach of tracking information flow in JavaScript offers a principled and uniform approach of analyzing the interplay between web pages and browser extensions” says Andrei Sabelfeld.
The importance of information security
Software is at the heart of modern computing systems while at the same time being the hardest to get right. Vulnerabilities and bugs open for lucrative attacks, as recently seen in the cyberattacks on Colonial Pipeline in the US and Coop in Sweden.
“My research agenda is to build in security and privacy in the early phases of software and system construction and to design principled frameworks for prevention, detection, and mitigation of vulnerabilities,” says Andrei Sabelfeld.
Written by Julia Persson