RISK COMPUTATION FOR SOFTWARE EXTENSIONS

Abstract

It is provided computer implemented method for analysis of a software extension for installation and execution in a computing system, the method comprising obtaining a software extension from a marketplace, analyzing contents of the obtained software extension and computing a risk index based on the analyzed software extension and on information related to previously-downloaded software extensions stored in a local database, as well as related to previously detected malware. The risk index is computed before installing and executing the software extension in the computing system and wherein a high value of the risk index persuades a user to install and execute the software extension in the computing system.

Claims

1. A computer implemented method for analysis of a software extension for installation and execution in a computing system, the method comprising: obtaining a software extension from a marketplace, analyzing contents of the obtained software extension; and computing a risk index based on the analyzed software extension and on information related to previously-downloaded software extensions stored in a local database, wherein the risk index is computed before installing and executing the software extension in the computing system, and wherein a high value of the risk index persuades a user to install and execute the software extension in the computing system.

2. The computer implemented method of claim 1, wherein obtaining a software extension from a marketplace comprises: downloading the software extension from the marketplace with a web crawler; performing a hash function of the downloaded software extension for indexing the downloaded software extension; and decompressing the downloaded software extension.

3. The computer implemented method of claim 2, wherein analyzing contents of the obtained software extension comprises: determining if the decompressed software extension is a new extension or a new version of a previously-stored extension in the local database; and if the decompressed software extension is a new version of a previously-stored extension: performing a comparison of files in the software extension after decompression against previous versions of the same extension, stored in the local database.

4. The computer implemented method according to claim 3, wherein analyzing contents of the obtained software extension comprises: obtaining a size of the software extension and a size of included files within the software extension; verifying formats of the included files in the software extension; extracting metadata for analysis from all the files of the software extension; identifying a default language and a localization of the software extension; searching for obfuscated content in the software extension; and identifying image files and search for similar images to said identified image files in the local database and extract metadata from said similar images.

5. The computer implemented method according to claim 3, wherein analyzing contents of the obtained software extension comprises analyzing code files of the software extension by: detecting regular expressions; selecting specific commands; finding requests to remote domains; loading of remote code if a remote URL is analyzed; and verifying languages of code files and patterns in the code files and in its comments.

6. The computer implemented method according to claim 3, wherein analyzing contents of the obtained software extension comprises analyzing a manifest of the software extension by: identifying author of the software extension; verifying version of the software extension; checking web pages on which the extension acts if the extension relates to a web browser; and reviewing permissions of the software extension.

7. The computer implemented method according to claim 3, wherein analyzing contents of the obtained software extension comprises parsing the content of the software extension against known malware located in an external database.

8. The computer implemented method according to claim 1, further comprising obtaining a plurality of software extensions by accessing known marketplaces given from a list of known marketplaces.

9. The computer implemented method according to claim 1, further comprising providing the risk index to a user of the computing system.

10. A system for analysis of a software extension for execution in a computing system, the system comprising: an internet bot module configured to download a software extension from a marketplace; a package analyzer module configured to analyze contents of the obtained software extension; a local database storing previously-downloaded software extensions; and a risk computation module configured to compute a risk index based on the analyzed content of the obtained software extension and on information related to previously-downloaded software extensions in the local database, wherein the risk index is computed before installing and executing the software extension in the computing system, and wherein a high value of the risk index persuades a user to install and execute the software extension in the computing system.

11. The system for analysis of a software extension of claim 10, further comprising a hashing and decompression module configured to: performing a hash function of the downloaded software extension for indexing the downloaded software extension; and decompressing the downloaded software extension.

12. The system for analysis of a software extension of claim 11, further comprising: a comparison module to determining if the decompressed software extension is a new extension or a new version of a previously-stored extension in a local database; and if the software extension is a new version of a previously-stored extension: performing a comparison of the files of the obtained software extension and files of previously-downloaded extensions stored in the local database.

13. The system for analysis of a software extension of claim 10, wherein the package analyzer module is configured to: obtain a size of the software extension and a size of included files within the software extension; verify formats of the included files in the software extension; extract metadata for analysis from all the files of the software extension ; identify a default language and a localization of the software extension; search for obfuscated content in the software extension; identify image files and search for similar images to said identified image files in the local database and extract metadata from said similar images; wherein the package analyzer module is configured to analyze code files of the software extension to: detect regular expressions; select specific commands; find requests to remote domains; load of remote code if a remote URL is analyzed; and verify languages of code files and patterns in the code files and in its comments; wherein the package analyzer module is configured to analyze a manifest of the software extension to: identify author of the software extension; verify version of the software extension; check web pages on which the extension acts if the extension relates to a web browser; and review permissions of the software extension, wherein the package analyzer module is configured to parse the content of the software extension against known malware located in an external database.

14. The system for analysis of a software extension of claim 10, wherein the internet bot module is a web crawler.

15. A computer program encoded on a non-transitory digital data storage medium, the program comprising non-transitory computer readable instructions for causing one or more processors to perform operations to computer implemented method of claim 1.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

[0028] To complete the description that is being made and with the object of assisting in a better understanding of the characteristics of the invention, in accordance with a preferred example of practical embodiment thereof, accompanying said description as an integral part thereof, is a set of drawings wherein, by way of illustration and not restrictively, the following has been represented:

[0029] FIG. 1 shows a diagram of an architecture showing modules used to perform a method for obtaining a risk index of a software extension according to the present disclosure.

DESCRIPTION OF SPECIFIC EMBODIMENTS OF THE INVENTION

[0030] FIG. 1 shows a diagram of an example of an architecture of the resulting system. The crawler module, checks if new extensions, or new versions of known extensions are available, accounting for a given list of known marketplaces, in particular from marketplace 1 to marketplace N. Software extensions as e.g. web browser, text editors or messaging systems can apply to the proposed solution.

[0031] In the hashing and decompression module the found software extensions are automatically downloaded, a hash is computed for each of the found extensions. Furthermore each of the found extensions are decompressed.

[0032] The comparison module or version comparison module as shown in FIG. 1 receives the decompressed software extension from the hashing and decompression module and interfaces with the local database to access previous stored software extensions. In case the downloaded extension is a new version of a known extension, a comparison against previous versions is performed for comparing the downloaded version with respect to old versions stored in the local database.

[0033] FIG. 1 also shows the package analyzer module receiving the software extension from the version comparison module after using the hash functions. The package analyzer module can perform the previously mentioned steps of searching code files of the software extension in order to be analyzed, detecting regular expressions, selecting commands, finding requests to remote domains, loading of remote code if a remote URL is analyzed and verifying languages of code files and patterns in the code files and in its comments. The package analyzer can analyze an extension manifest in the browser extension to identify author, version, pages on which the extension acts and review permissions. Furthermore, the package analyzer is also interfacing with a remote database of known malware. The package analyzer can access the remote database to parse the downloaded software extension against known malware stored in said database.

[0034] Finally, the risk computation module provides a risk index to a user as shown in FIG. 1. The risk computation module interfaces with the package analyzer and the local database module to compute the risk index based on the collected information in the package analyzer module, supplemented with correlation information and data from the local database related to previously-stored extensions packages. Hence, the risk index is able to inform about eventual security risks within the software extension as e.g. malicious code to inform a user and make the user aware of them before installing and using the software extension and therefore, minimizing the security risks in a computing system.

[0035] The term comprises and the derivations thereof (such as comprising, etc.) must not be understood in an exclusive sense, i.e., these terms must not be interpreted as excluding the possibility that what is described and defined may include additional elements, steps, etc.

[0036] A person of skill in the art would readily recognize that steps of various above-described methods can be performed by programmed computers. Herein, some embodiments are also intended to cover program storage devices, e.g., digital data storage media, which are machine or computer readable and encode machine-executable or computer-executable programs of instructions, wherein said instructions perform some or all of the steps of said above-described methods. The program storage devices may be, e.g., digital memories, magnetic storage media such as a magnetic disks and magnetic tapes, hard drives, or optically readable digital data storage media. The embodiments are also intended to cover computers programmed to perform said steps of the above-described methods.

[0037] The description and drawings merely illustrate the principles of the invention. Although the present invention has been described with reference to specific embodiments, it should be understood by those skilled in the art that the foregoing and various other changes, omissions and additions in the form and detail thereof may be made therein without departing from the scope of the invention as defined by the following claims. Furthermore, all examples recited herein are principally intended expressly to be only for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass equivalents thereof.