Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth,

Slides:

Advertisements

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

ICE Interposing on Chrome Extensions Ryan Lopopolo Edgar Salazar William Ung Final Project.

Hulk: Eliciting Malicious Behavior in Browser Extensions

張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

An Evaluation of the Google Chrome Extension Security Architecture

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Hack Firefox to steal web-secrets Sunil Arora. How many of you use Firefox ?

Lesson 4: Web Browsing.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Presented by…. Group 2 1. Programming language 2Introduction.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Secure Software Engineering: Input Vulnerabilities

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.

Lesson 4: The Internet and Outlook. Learning Objectives After studying this lesson, you will be able to:  Use the Search box with Internet Explorer 

Unit 1 – Web Concepts Instructor: Brent Presley. ASSIGNMENT Read Chapter 1 Complete lab 1 – Installing Portable Apps.

Web Programming: Client/Server Applications Server sends the web pages to the client. –built into Visual Studio for development purposes Client displays.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Chapter 8 Collecting Data with Forms. Chapter 8 Lessons Introduction 1.Plan and create a form 2.Edit and format a form 3.Work with form objects 4.Test.

Prasanna K. Agenda Setting Up the Environment Introduction Extension Essentials Building a Extension Demo Users Build a Banking a Trojan Building the.

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

Department of Computer Science Internet Performance Measurements using Firefox Extensions Scot L. DeDeo Professor Craig Wills.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Website Design, Development and Maintenance ONLY TAKE DOWN NOTES ON INDICATED SLIDES.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

SANS Top 25 Most Dangerous Programming Errors Catagory 1: Insecure Interaction Between Components These weaknesses are related to insecure ways.

 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.

Browser code isolation John Mitchell CS 155 Spring 2016.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Application Communities

Protecting Memory What is there to protect in memory?

Understanding Android Security

Protecting Memory What is there to protect in memory?

Protecting Memory What is there to protect in memory?

Lesson 4: Web Browsing.

SQL Injection Attacks Many web servers have backing databases

CSC 495/583 Topics of Software Security Web Browser Security (2)

Lesson 4: Web Browsing.

Understanding Android Security

Windows Vista Inside Out

Security and JavaScript

Protecting Browsers from Extension Vulnerabilities

Presentation transcript:

Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth, afelt, Aaron Boodman Google, Inc. Presented by: Edmund Warner March 29, 2011 University of Central Florida

Acknowledgements Figures and tables are taken directly from the paper. mozilla.org for specific information on Firefox used for this presentation

Let's talk about Firefox Nearly one third of Firefox users run extensions That's about 90 million users running extensions Skype Toolbar Twitterfox Weatherbug Extensions change the browsing experience Makes changes to the user interface Interacts arbitrarily with many websites This creates a large attack surface!

Let's talk about Firefox When extensions are loaded in Firefox, many are done so with the browser's full priveleges If an attacker were to compromise the extension, he could usurp control of it's broad priveleges and use them to install malware on the user's machine Most extension developers are not security experts

The Study 25 extensions were chosen from the most popular of the 13 categories in Firefox: Adblock Plus 1.0.2, Answers , AutoPager , Auto Shutdown (InBasic) 3.1.1B, Babel Fish 1.84, CoolPreviews 2.7.4, Delicious Bookmarks 4.3, docked JSConsole0.1.1, DownloadHelper 4.3, Download Statusbar , File and Folder Shortcuts 1.3, Firefox Showcase , Fission 1.3, Glue , GoogleEnhancer 1.70, Image Tweak , Lazarus: Form Recovery 1.0.5, Mouseless Browsing , Multiple Tab Handler 0.9.5, Quick Locale Switcher 1.6.9, Shareaholic 1.7, Status-bar Scientific Calculator 4.5, TwitterFox , WeatherBug , and Zemanta Only 3 of these require the brrowser's full priveleges The rest are over-priveleged

How can Extensions be Compromised? The paper gives 4 methods of exploiting Firefox extensions: Cross-Site Scripting Using eval or document.write without sanitizing the input can cause a script to be able to be injected into the extension Replacing Native APIs Attacker can trick the extension and replace the DOM APIs with its own Behaves just like the original, but can trick it into performing a misdeed JavaScript Capability Leaks If it leaks an object to a malicious web page, the attacker can gain access to other objects Mixed Content Can hijack and replace HTTP scripts in orrder to install malware

Plan of Attack First, give developers a template to follow Lessen the attack space to aim for Second, use the new build to limit the priveleges given to these extensions If the extension does get compromised, the attack has no more priveleges than the extension used before

Extension Design Template Three parts: Content Script – interacts closely with potentially malicious input, but can only send messages to the extension core Extension Core – contains most web priveleges, but on interacts with web content through the Scripts. Also, it doesn't have host access Native Binary – contains host priveleges, but only interacts through the extension core

Limiting Priveleges The table below represents the 25 extensions surveyed. To explain the zones: Critical: Can run arbitrary code on the user’s system (e.g., arbitrary file access) High: Can access site-specific confidential information (e.g., cookies and password) or the Document Object Model (DOM) of all web pages Medium: Can access private user data (e.g., recent history) or the DOM of specific web pages Low: Can annoy the user None: No security privileges (e.g., a string) or privileges limited to the extension itself

Limiting Priveleges Only 3 extensions showed critical-level behavior, which are all download managers. None of these, however, require arbitrary file access. The above demonstrates just how much privelege can be abused.

Limiting Priveleges In order to combat this potential abuse, limitations are built into the extension manifest For instance, a Gmail checker extension needs access to google.com subdomains and the tabs API Instead of allowing it to make the requests at run-time with full priveleges, build it into the manifest “permissions”: “tabs” “ *.google.com/” “ *.google.com/” Now it can only access what we allow it to access.

Isolation The system also uses three components to isolate its parts from web content, and from each other We run the extension core in a unique origin designated by a public key We run the extensions core and native binaries in their own processes Content scripts run in a separate content heap than untrusted web content

Public Keys We assign an “origin” via public key to the extension's URL. For example: chrome-extension://askhjsbasydblsdlfhfb/ This reduces the attack surface and simplifies extension signing Also, it makes updating extensions easier Same priveleges, same key – simple replacement However, the process starts from scratch if the internal components are asking for more priveleges

Process Isolation Each component runs in a different process Extension Core and Native Binaries are in different processes Content Scripts run in the same process associated with the web page Protection is two-fold Protects the core from browser errors because JavaScript objects cannot leak between processes Protects against low-level exploits like buffer overflows

Isolated Worlds Each content script runs the DOM with its “own” JavaScript objects Therefore, content scripts and web pages never exchange pointers Now, if a DOM method is called, both objects will be updated, but if a website called a non-standard method, it does not carry.

Performance Separating extensions could add overhead when you need to access multiple components Sending a signal from content script to the extension core and back observed a round-trip latency of 0.8 ms on average With the isolated worlds mechanism, they observed a round-trip latency of 309 ms as opposed to 239 ms without

Weaknesses Firefox has 5,594 extensions 25 only samples 0.45% of the population Popular doesn't always mean best developed No definitive talk on how secure their solution is Might be a misnomer because the solution presented mainly just reduces the consequences for exploits An attacker can still build the priveleges into his own extension or compromise and “update” an existing one – Add under “permissions”: “ “downloads”

Contributions Google Chrome Add-on for Firefox: Chromifox Google Chrome Browser Extension design now has a template to follow

Improvements Give a “format” to the Public Key if the extension updates require more priveleges. Test it further. Compare security between formatted and unformatted extensions