張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of California, Berkeley Prateek Saxena, University of California, Berkeley Aaron Boodman, Google,Inc.

O UTLINE  Introduction  Firefox Extension System  Google Chrome Extension System  Performance  Conclusion 2

O UTLINE  Introduction  Extensions  Benign-but-buggy Extensions  Firefox Extension System  Google Chrome Extension System  Performance  Conclusion 3

I NTRODUCTION  1/3 of Firefox users run at least 1 extension  Extend, modify and control browser behavior  Provide rich functionality and add features  Browser extensions differ from browser plug-ins  Extensions -- 使用瀏覽器的擴充介面，用來加 強或增加瀏覽器功能的小程式  Plug-ins -- 使用 Netscape 提供的 NPAPI 為介面， 提供跨瀏覽器協力支援的程式。 4

I NTRODUCTION  Benign-but-buggy extensions  Extensions aren’t written by security experts  Extensions interact extensively with web sites  Firefox extensions run with the browser’s full privileges  An attacker can usurp the extension’s broad privileges 5

I NTRODUCTION  Attacking Example  R. S. Liverani and N. Freeman, “Abusing Firefox Extensions”, Defcon17, July 2009  install a remote desktop server on the user’s machine 6

O UTLINE  Introduction  Firefox Extension System  Attacks on Extensions  Limiting Firefox Extension Privileges  Google Chrome Extension System  Performance  Conclusion 7

F IREFOX E XTENSION S YSTEM  Attacks on Extensions 1. Cross-site Scripting 2. Replacing Native APIs 3. JavaScript Capability Leaks 4. Mixed Content  Firefox extensions  High privilege  Rich interaction with distrusted web content 8

F IREFOX E XTENSION S YSTEM  Limiting Firefox Extension Privileges ??  Review 25 Firefox extensions from the 13 categories  Behavior: How much privilege does an extension need?  Implementation: How much privilege does an extension receive? 9

F IREFOX E XTENSION S YSTEM  Firefox Security Severity Ratings: Firefox Security Severity Ratings  Critical  High  Medium  Low  None 10

F IREFOX E XTENSION S YSTEM  Result  Only 3 need critical privileges  The other 22 extensions exhibit a privilege gap 11

F IREFOX E XTENSION S YSTEM  Use the same interfaces 12

F IREFOX E XTENSION S YSTEM 13

O UTLINE  Introduction  Firefox Extension System  Google Chrome Extension System  Least privilege  Privilege separation  Strong isolation  Performance  Conclusion 14

G OOGLE C HROME E XTENSION S YSTEM  Least privilege  Explicitly requested in the extension’s manifest  Developers define privileges in manifest  Execute Arbitrary Code  Web Site Access  API Access 15

G OOGLE C HROME E XTENSION S YSTEM 16

G OOGLE C HROME E XTENSION S YSTEM  Privilege separation 17

G OOGLE C HROME E XTENSION S YSTEM  Isolation Mechanisms  Extension identity -- a public key in the extension’s URL  Process Isolation -- run in different processes  Isolated Worlds -- own JavaScript objects 18

G OOGLE C HROME E XTENSION S YSTEM 19

O UTLINE  Introduction  Firefox Extension System  Google Chrome Extension System  Performance  Conclusion 20

PERFORMANCE  Inter-component communication  Round-trip latency between content script & extension core: 0.8 ms  Isolated Worlds Mechanism  Add 33.3% overhead Add 33.3% overhead 21

O UTLINE  Introduction  Firefox Extension System  Google Chrome Extension System  Performance  Conclusion 22

CONCLUSION  Firefox extension system  Extensions are over-privileged  API needs to be tamed for least privilege  New extension system for Google Chrome  Developer encouraged to request few privileges  Extensions have a reduced attack surface 23

動動腦 ~ 一日，私塾裡大家都在讀經 … 只有家家東張西望 老師問家家 : 妳為什麼不念呢 ? 24 因為家家有本難念的經