Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Operating System Security
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
An Evaluation of the Google Chrome Extension Security Architecture
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Firefox 2 Feature Proposal: Remote User Profiles TeamOne August 3, 2007 TeamOne August 3, 2007.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Chapter 6: Hostile Code Guide to Computer Network Security.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Presented by…. Group 2 1. Programming language 2Introduction.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
Prevent Cross-Site Scripting (XSS) attack
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Lecture 15 Introduction to Web Services Web Service Applications.
Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010) A N A NALYSIS OF P RIVATE B ROWSING M ODES IN M ODERN B ROWSERS 1.
Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth,
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.
Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Android Permissions Demystified
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.
 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.
Goals Be able to identify the parts of a URL Determine the safeness of a link Know the best places to find the info you need Know how to deal with toolbars.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Database and Cloud Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Understanding Android Security
World Wide Web policy.
CSC 495/583 Topics of Software Security Web Browser Security (2)
Article Authors – Oleksii Starov & Nick Nikiforakas
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Understanding Android Security
PHP Forms and Databases.
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Protecting Browsers from Extension Vulnerabilities
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and Aaron Boodman at Google, Presentation by: Prachi Shivhare 12 March 2014

University of Central Florida Introduction  Roughly one third of Firefox users have at least one browser extension  Modifies the core browser user experience by changing the browser’s user interface and interacting with web sites  Most extension developers are not security experts.  Firefox extensions run with the browser’s full privileges.  Does browser extensions require such a high level of privilege?

University of Central Florida Introduction  Study of Firefox 25 most popular extensions chosen from 13 categories was conducted.  Results:  88% of these extensions need less than the full set of available privileges  76% of these extensions use unnecessarily powerful APIs  Only 3 of the 25 extensions required full system access  Rest are over-privileged, needlessly increasing the severity of extension vulnerabilities

University of Central Florida Attacks against browser extensions  The paper describe four classes of attacks against Firefox browser extensions  Cross-Site Scripting  Using inputs without sanitizing can cause a script to be able to be injected into the extension  Replacing Native APIs  A malicious web page can confuse (and ultimately exploit) a browser extension by replacing native DOM APIs with methods of its own definition  JavaScript Capability Leaks  If extension leaks an object to a malicious web page, the attacker can gain access to other objects  Mixed Content  An active network attacker can control content loaded via HTTP

University of Central Florida Firefox security severity rating  Critical: Can run arbitrary code on the user’s system (e.g., arbitrary file access)  High: Can access site-specific confidential information (e.g., cookies and password) or the Document Object Model (DOM) of all web pages  Medium: Can access private user data (e.g., recent history) or the DOM of specific web pages  Low: Can annoy the user  None: No security privileges (e.g., a string) or privileges limited to the extension itself

University of Central Florida Behavioral Vs Interface Privilege

University of Central Florida Security Lattice  In Firefox, extensions and internal browser components use same interfaces known as XPCOM interfaces  613 interfaces out of 1582  Deductive system:  computes which additional interfaces a principal (the browser or an extension) can obtain from one interface.  For example, type foo has a method that accepts type bar as a parameter. Type bar has a method getFile that returns a file type. We do not know whether an implementation of foo actually ever calls bar.getFile, but we know it is possible.

University of Central Florida Security Lattice  Reachability:  Of the 2920 edges in the lattice, 147 edges go “up” the lattice  upward edges represent potential escalation points  Recommend to remove such edges either by adding runtime access control checks or by taming the interfaces at design time

University of Central Florida Suggested arch. for extensions  Least Privilege – set of privileges chosen at install time.  If an extension later becomes compromised, the extension will be unable to increase this set of privileges  Privilege Separation – break up extension into three main parts: content script, extension core, and native binary  Strong isolation – the different components of an extension are isolated from each other by strong protection boundaries  Each component runs in a separate operating system process.

University of Central Florida Least Privileges  Explicitly requested in extension manifest  Developers define privileges in manifest  Execute arbitrary code: The only way to do this is to list a native binary in the manifest.  Web site access: In order to access a website, it must be listed in the manifest under the permissions category.  If the extension were later compromised, the attacker would not have the privilege to access  API Access: extensions can also request access to extension APIs and must be listed in the manifest under the permissions category

University of Central Florida Least Privileges For example, Gmail Checker needs access to subdomains of google.com and the tabs API

University of Central Florida Least Privileges  Alter the user experience for installing an extension from the Google-controlled extension gallery based on the maximum privilege level the extension requests  extensions with the privilege to execute arbitrary code are not permitted in the gallery unless the developer signs a contract with Google  Incentivizes developers to request fewer privileges to reduce review latency

University of Central Florida Privilege Separation Content Script: lets extensions interact directly with untrusted web content. Manifest limits the extension’s access to origins Extension Core: contains the majority of the extension’s privileges, but it is insulated from direct interaction with untrusted web content Native Binary: Only native binaries can run arbitrary code or access arbitrary files

University of Central Florida Isolation Mechanism  Extension Identity: A public key in extension’s URL  For Example: chrome-extension://ilpnegfhimflflifcnmgpeihglhedbnn/  Process Isolation: Each component runs in a different process  Extension Core and Native Binaries are in different processes  Content Scripts run in the same process associated with the web page  Isolated Worlds: Content script accesses the DOM with its “own” JavaScript objects. Content scripts and web pages therefore never exchange JavaScript pointers.

University of Central Florida Isolation Mechanism

University of Central Florida Performance  Inter-component communication  Round-trip latency between content script & extension core: 0.8 ms  Isolated Worlds Mechanism  Added 33.3% overhead

University of Central Florida Conclusion  Firefox extension system  Extensions are over-privileged  API needs to be tamed for least privilege  New extension system for Google Chrome  Developer encouraged to request few privileges  Extensions have a reduced attack surface

University of Central Florida Weakness  The developer of the extension can still include more privileges than necessary.  There are around ten thousand Firefox extension, selecting 25 most popular extensions is only 0.25%.  Most popular extension might not be best developed.  Users still have to accept privileges at the time of installation.

University of Central Florida Improvements A comparison study between the previous Google chrome extension and new proposed Google chrome extension.

University of Central Florida Thank You !!