張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of California, Berkeley Prateek Saxena, University of California, Berkeley Aaron Boodman, Google,Inc.
O UTLINE Introduction Firefox Extension System Google Chrome Extension System Performance Conclusion 2
O UTLINE Introduction Extensions Benign-but-buggy Extensions Firefox Extension System Google Chrome Extension System Performance Conclusion 3
I NTRODUCTION 1/3 of Firefox users run at least 1 extension Extend, modify and control browser behavior Provide rich functionality and add features Browser extensions differ from browser plug-ins Extensions -- 使用瀏覽器的擴充介面,用來加 強或增加瀏覽器功能的小程式 Plug-ins -- 使用 Netscape 提供的 NPAPI 為介面, 提供跨瀏覽器協力支援的程式。 4
I NTRODUCTION Benign-but-buggy extensions Extensions aren’t written by security experts Extensions interact extensively with web sites Firefox extensions run with the browser’s full privileges An attacker can usurp the extension’s broad privileges 5
I NTRODUCTION Attacking Example R. S. Liverani and N. Freeman, “Abusing Firefox Extensions”, Defcon17, July 2009 install a remote desktop server on the user’s machine 6
O UTLINE Introduction Firefox Extension System Attacks on Extensions Limiting Firefox Extension Privileges Google Chrome Extension System Performance Conclusion 7
F IREFOX E XTENSION S YSTEM Attacks on Extensions 1. Cross-site Scripting 2. Replacing Native APIs 3. JavaScript Capability Leaks 4. Mixed Content Firefox extensions High privilege Rich interaction with distrusted web content 8
F IREFOX E XTENSION S YSTEM Limiting Firefox Extension Privileges ?? Review 25 Firefox extensions from the 13 categories Behavior: How much privilege does an extension need? Implementation: How much privilege does an extension receive? 9
F IREFOX E XTENSION S YSTEM Firefox Security Severity Ratings: Firefox Security Severity Ratings Critical High Medium Low None 10
F IREFOX E XTENSION S YSTEM Result Only 3 need critical privileges The other 22 extensions exhibit a privilege gap 11
F IREFOX E XTENSION S YSTEM Use the same interfaces 12
F IREFOX E XTENSION S YSTEM 13
O UTLINE Introduction Firefox Extension System Google Chrome Extension System Least privilege Privilege separation Strong isolation Performance Conclusion 14
G OOGLE C HROME E XTENSION S YSTEM Least privilege Explicitly requested in the extension’s manifest Developers define privileges in manifest Execute Arbitrary Code Web Site Access API Access 15
G OOGLE C HROME E XTENSION S YSTEM 16
G OOGLE C HROME E XTENSION S YSTEM Privilege separation 17
G OOGLE C HROME E XTENSION S YSTEM Isolation Mechanisms Extension identity -- a public key in the extension’s URL Process Isolation -- run in different processes Isolated Worlds -- own JavaScript objects 18
G OOGLE C HROME E XTENSION S YSTEM 19
O UTLINE Introduction Firefox Extension System Google Chrome Extension System Performance Conclusion 20
PERFORMANCE Inter-component communication Round-trip latency between content script & extension core: 0.8 ms Isolated Worlds Mechanism Add 33.3% overhead Add 33.3% overhead 21
O UTLINE Introduction Firefox Extension System Google Chrome Extension System Performance Conclusion 22
CONCLUSION Firefox extension system Extensions are over-privileged API needs to be tamed for least privilege New extension system for Google Chrome Developer encouraged to request few privileges Extensions have a reduced attack surface 23
動動腦 ~ 一日,私塾裡大家都在讀經 … 只有家家東張西望 老師問家家 : 妳為什麼不念呢 ? 24 因為家家有本難念的經