Protecting Browsers from Extension Vulnerabilities: An Analysis of Firefox Extensions, Slides of Software Engineering

Download Protecting Browsers from Extension Vulnerabilities: An Analysis of Firefox Extensions and more Slides Software Engineering in PDF only on Docsity! Protecting Browsers from Extension Vulnerabilities Docsity.com Briefing • Are your computers susceptible to attacks through the use of the extensions in your web-browser? • Extension, extend the functionality of your browser providing both personalization and ease of use. How can they hurt you? • Problem: majority of Firefox extensions are running at a critically insecure level. Docsity.com Observations • 25 popular Firefox extensions examined(Appendix A) • 2 randomly picked from the 13 categories on the recommended page(Appendix A) • 88% of the Extensions need less permissions than given. • 76% of the Extensions permission issue comes from overpowered APIs Docsity.com Multi-part System Solution • Least Privilege – lists privileges needed at installation • Privilege Separation – break up extension into three main parts: content script, extension core, and native binary • Strong isolation – each part of the extension is isolated beyond just being separate components. Docsity.com Threat Models Two Threat Models Covered: 1. Webpage: Attacker can host a malicious webpage. Can have bad JavaScript to try and mix up the pointers of the objects and inject a malicious one. 2. Network: man-in-the-middle http request response Docsity.com Examples of Damage • “Greasemonkey exposed a privileged version of XMLHttpRequest to every web page [33], letting attackers circumvent the browser’s same-origin policy by issuing HTTP requests with the user’s cookies to arbitrary web sites and reading back the responses.” • “An extension injects an HTTP script into an HTTPS page. For example, we discovered that an extension [6] injects an HTTP script into the HTTPS version of Gmail.” Docsity.com Privilege Separation • Content Script: composed of javascript, Interacts directly with the DOM, can send messages to extension core. • Extension Core: does not interact with webpage directly but has access to APIs and is what the user interfaces with • Native Binary: the only part that can execute code but is the farthest removed from the webpage. Docsity.com Process A AY Page DOM — Attacker Tabs Bookmarks Creation File System Extension Core Process Boundary Process Boundary Figure 1. Extensions are divided into three components, each with progressively more privileges and less exposure to malicious web content. (® Docsity.com Purpose vs. Privilege (a) Most powerful behavior. (b) Most powerful interface. Figure 2. The chart on the left shows the severity ratings of the most dangerous behaviors exhibited by each extension. The chart on the right shows the security ratings of the extension interfaces used or these behaviors. Docsity.com e Purpose vs. Privilege Behavior Interface Disparity? Frequency Process launching (C) Process launching (C) No 3 (12%) User chooses a file (N) Arbitrary file access (C) Yes 11 (44%) Extension-specific files (N) Arbitrary file access (C) Yes 10 (40%) Extension-specific SQLite (N) Arbitrary SQLite access (H) Yes 3 (12%) Arbitrary network access (H) — Arbitrary network access (H) No 8 (40%) Specific domain access (M) Arbitrary network access (H) Yes 2 (8%) Arbitrary DOM access (H) Arbitrary DOM access (H) No 9 (36%) Page for display only (L) Arbitrary DOM access (H) Yes 3 (12%) DOM of specific sites (M) Arbitrary DOM access (H) Yes 2 (8%) Highlighted texVimages (L) Arbitrary DOM access (H) Yes 2 (8%) Password, login managers (H) Password, login managers (H) No 3 (12%) Cookie manager (H) Cookie manager (H) No 2 (8%) Same-extension prets (N) Browser & all ext prefs (H) Yes 21 (84%) Language preferences (M) Browser & all ext prefs (H) Yes 1 (4%) Figure 3. The frequency of security-relevant behaviors. The security rating of each behavior is ab- breviated in parentheses. If the interface’s privilege is greater than the required behavioral privilege, there is a disparity. Docsity.com Deductive System • Another issue lies in privilege escalation in XPCOM interfaces. • Example: “type foo has a method that accepts type bar as a parameter. Type bar has a method getFile that returns a file type. We do not know whether an implementation of foo actually ever calls bar.getFile, but we know it is possible.” Docsity.com Least Privilege (Manifests) • Executing arbitrary code: The only way to do this is to list a native binary in the manifest. • Web site access: In order to access a website, it must be listed in the manifest under the permissions category. • API access: similar to the web site access, it must be listed in the manifest under the permissions. Docsity.com Gmail Checker Extension Manifest [13] "name": "Google Mail Checker", "description": "Displays the number of unread messages...", "version": "1.2", "background_page": "background.html", "permissions": [ "tabs", "http: //*.google.com/", "https: //*.google.com/" l, "browser_action": { "default_title"™: ™" hy "icons": { "128": "icon_128.png" Docsity.com Reward for Security • Why would extension creators bother asking for less? – The user decides which permissions to allow at installation time, possibly preventing use of extension. – The galleries (Chrome and Firefox) need contract for code execution – The user can review the manifest manually. Docsity.com Processes p@ Windows Task Manager [ole] x | File Options View Help | Applications | Processes | Services | Performance | Networking | Users | Image Name User Name CPU Memory (Private W... | Description AcroRd32.ex... Cody oo 9,844K Adobe Reader avgui.exe *32 Cody 00 6,840K AVG User Interface vpnui.exe *32 Cody 0 4,384K Cisco AnyConnect... dwm.exe Cody oo 34,100K Desktop Window ... Dropbox.exe ... Cody 00 55,936K Dropbox EvernoteClipp... Cody oo 1,904K Evernote Clipper chrome.exe *32 Cody oo 30,000K Google Chrome chrome.exe *32 Cody 0 13,876K Google Chrome chrome.exe *32 Cody 00 78,076K Google Chrome chrome.exe *32 Cody O00 42,008K Google Chrome chrome.exe #32 Cody 00 36,872K Google Chrome chrome.exe *32 Cody 00 84,108K Google Chrame chrome.exe #32 Cody oo 51,008K Google Chrome chrome.exe *32 Cody 00 26,964K Google Chrome taskhostexe Cody 00 3,260K Host Process for ... - Processes: 81 CPU Usage: 4% Physical Memory: 35% Docsity.com Isolation of Worlds DOM (C+) JavaScript (VB) W2 (Extension 1) Pi §) ()() W3 (Extension 2) 4, Figure 7. The normal one-to-one relation between DOM implementation objects and JavaScript representations. Figure 8. The one-to-many relation caused by running content scripts in isolated warldssity.com Performance • Initial Concern: 1. Three parts now communicate with one another. 2. The difference is trivial, .8ms, for interprocess communication. • Real area for concern: 1. DOM access in separate world model. 2. 33.3% to access time Docsity.com Improvement • Testing work with browsers like Opera or Internet Explorer. • Explicitly fixing or creating new tighter interfaces for the extension to use. Docsity.com Related Work • There is another extension system for Firefox called JetPack which proposes narrow interfaces for browser functionality. • Other papers look into the problem of dealing specifically with running code in the native plug-in. • Pulls from the MashupOs and JAR publickey signing work; Browser is mashup of extension code and webcontent. Docsity.com