An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan.

Slides:

Advertisements

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Advertisements

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, Vinod Ganapathy Computer Science, Rutgers University Mohan Dhawan IBM.

Sruthi Bandhakavi Samuel T. King P. Madhusudan Marianne Winslett University of Illinois at Urbana Champaign

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

Ch 3 System Development Environment

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

1 / 28 Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications ESEC/FSE 2011 Anders Møller, Magnus Madsen and Simon Holm.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

1 Computer Systems & Architecture Lesson 1 1. The Architecture Business Cycle.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

JavaScript Demo Presented by … Jaisingh Sumit jain Sudhindra Taran Deep arora.

Presented by…. Group 2 1. Programming language 2Introduction.

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

February Semantion Privately owned, founded in 2000 First commercial implementation of OASIS ebXML Registry and Repository.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

JavaScript Heap Analysis: From Browser Exploits to Safe JavaScript Subsets Adam Barth Joel Weinberger Matt Finifter Dawn Song University of California,

MAHI Research Database Data Validation System Software Prototype Demonstration September 18, 2001

An Introduction to Software Architecture

Web Programming: Client/Server Applications Server sends the web pages to the client. –built into Visual Studio for development purposes Client displays.

Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group.

CMPD 434 MULTIMEDIA AUTHORING Chapter 06 Multimedia Authoring Process IV.

Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth,

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

1 JavaScript in Context. Server-Side Programming.

document.cookie Identity Theft ✗ Cookie Stealing.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡

Exploiting Code Search Engines to Improve Programmer Productivity and Quality Suresh Thummalapenta Advisor: Dr. Tao Xie Department of Computer Science.

Internet & World Wide Web How to Program, 5/e © by Pearson Education, Inc. All Rights Reserved.

By Adam Barth, Joel Weinberger and Dawn Song.  Current JavaScript Security Model  Cross-Origin JavaScript Capability Leaks  Capability Leak Detection.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Implementation of SCENS Yan Zhao. Current Status Current implementation is web-based –

Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.

Javascript Static Code Analyzer

© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.

Shakeel Rutgers University Vinod Rutgers University Michael M. University of Wisconsin-Madison Chih-Cheng Rutgers University.

Rich Internet Applications 2. Core JavaScript. The importance of JavaScript Many choices open to the developer for server-side Can choose server technology.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

CGS 3066: Web Programming and Design Spring 2016 Introduction to JavaScript.

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

More Security and Programming Language Work on SmartPhones

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Static Detection of Cross-Site Scripting Vulnerabilities

Detecting Targeted Attacks Using Shadow Honeypots

WEB PROGRAMMING JavaScript.

System Reengineering Restructuring or rewriting part or all of a system without changing its functionality Applicable when some (but not all) subsystems.

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

Protecting Browsers from Extension Vulnerabilities

Presentation transcript:

An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan Indiana University 6/1/2012 ECOOP’12

Browser Extensions Enhance browser functionality Customize to meet user need Unrestricted access to privileged resource Rezwana Karim2

Problems in legacy extensions 3Rezwana Karim Insecure Programming Practice  Exploitable vulnerability [Barth et al., NDSS‘10] [Bhandhakavi et al., Usenix Security‘10]

Jetpack Mozilla’s new extension development technology Extension structured as a collection of modules Recommends –Principle of Least Authority (POLA) –Privilege separation Upfront permission specification Goal : Limit ill effects of vulnerable extensions 4Rezwana Karim

Structure of Weather extension in Jetpack Rezwana Karim5 Sensitive resources Core modules File Network Main Extension modules

Modularity does not guarantee security 6 File Network Main Rezwana Karim

Analysis of Jetpack framework Goal: Verifying conformance to security principles in Jetpack modules –Focus on adherence to POLA and privilege separation Beacon: Capability flow analysis tool –36 programming bugs in real-world extensions –10 instances of POLA violation –Results acknowledged by Mozilla 7Rezwana Karim

Module Interaction 8 var file = require(“file”); file.readFile (“zipCodeFile”);... Main var fileSystemPtr = accessToFileSystem(); exports.readFile = function readFile(fileName){ //read the content of fileName... // return the content... }; File Rezwana Karim

Capabilities Rezwana Karim 9 Privilege to access sensitive resources Bookmark, cookies, file, password, network etc. Ways to acquire var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; File var fileSystemPtr = require(“File”).fileSystemPtr; Main

Capability leaks Inadvertent leaks of pointers to privileged resources –Direct references to privileged resources –Functions returning references to privileged resources 10Rezwana Karim var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; exports.getFileSystem = function(){ return fileSystemPtr; } File

Detecting capability leaks 11 File Network Main Rezwana Karim

Capability flow analysis Static analysis of JavaScript modules Information flow –Taint: capability –Source : privileged resource access –Sink: exports interface Call graph based Context and Flow insensitive –Static Single Assignment (SSA) representation gives a degree of flow-sensitivity 12Rezwana Karim

Capability flow in object hierarchy 13 a a x x y y p p z z Rezwana Karim var a = { x : object, y : { p : fileSystemPtr, z : object }

Implementation of Beacon 14 Call graph generator SSA analyzer Inference engine SSA format Imported module summaries Imported module summaries Rules for JS to Datalog translation Taint inference rules Initial facts Points-to rules Heap allocation Rezwana Karim Capability analysis report 2.8k lines of Java, Datalog Tools Used : WALA, DES

Capability flow in object hierarchy 15 a a x x y y p p z z ptsTo(v a, h a ) ptsTo(v y, h y ) ptsTo(v z, h z ) ptsTo(v p, h p ) ptsTo(v x, h x ) heapPtsTo(h y, z, h z ) heapPtsTo(h a, y, h y ) heapPtsTo(h y, p, h p ) var a ={ x : object, y:{ p: fileSystemPtr, z: object } isTainted(h p, file) isTainted(h y, file) isTainted(h a, file) Rezwana Karim store(v y, p, v p ) heapPtsTo(h a, x, h x ) [Gatekeeper, Guarnieri et al., Usenix Security’09]

Evaluation goals Evaluate Jetpack architecture, adherence to two principles –Privilege separation –Principle of least authority (POLA) Identify modules –Capability leaks –Violate privilege separation –Overprivileged; violate POLA 16Rezwana Karim

Evaluation Over 600 Jetpack modules –77 core modules –Modules from 359 Jetpack extensions –68k lines of JavaScript code Performance –On average, couple of minutes, 200 MB –tab-browser.js (~25 KB) 30mins and 243MB 17Rezwana Karim

Capability leak 36 Leaks in over 600 modules –12 in 4 core modules –24 in extension modules 18 Core ModulesCapabilityLeak MechanismEssential tabs/utilsActive tab, browser window and tab container Function returnyes window-utilsBrowser windowFunction returnyes xhrReference to the XMLHttpRequest object Property of this object no xpcomEntire XPCOM utility module Exported propertyno Rezwana Karim

Capability leaks: extension module 19Rezwana Karim 24 leaks in 359 extensions ExtensionCapabilityCount Bookmarks Deiconizer Sensitive resource service module 1 Browser Sign In Window, document 2 Customizable Shortcut Preference, DOM, window 3 Firefox Share Preference, window, database, observer database, stream, network 10 Most Recent Tab Preference, window 2 Open Web Apps Preference, window, database, observer 4 Recall Monkey IOService, favIcon 2 None of the leaks are required for functionality

Accuracy: Capability leak No False Positive May miss some leaks –Dynamic features Iterator, generator –Unsupported JS constructs for..each, yield, case statement over a variable –Unmodeled JS constructs eval, with –Latent bugs 20Rezwana Karim

Violation of privilege separation 21Rezwana Karim 26 modules in 19 extensions

Accuracy: Capability usage 53 extensions directly use sensitive resources Beacon detects 46 out of 53 Missed 7 are in event-handling code 22Rezwana Karim

Violation of POLA Beacon generates 18 warnings, 7 false positive 23 Core modulePrivilegeSeverity fileDirectory serviceModerate hidden-frameTimerNone tab-browserErrorsNone content/content-proxyChromeCritical content/loaderFileModerate content/workerChromeCritical keyboard/utilsChromeCritical clipboardErrorsNone widgetChromeCritical windowsXPCOM, apiUtilsCritical Rezwana Karim Violation instances are fixed by Mozilla

Related Work Information flow analysis of extension –SABRE [Dhawan et al., ACSAC’09] –VEX [Bhandhakavi et al., Usenix Security‘10] Static analysis of JavaScript –Gatekeeper [Guarnieri et al., Usenix Security’09] –ENCAP [Taly et al., Oakland‘11] Study of Chrome extension architecture –Chrome extension analysis [Yan et al., NDSS’12] 24Rezwana Karim

Summary Beacon, a system for capability flow analysis of JavaScript modules Analyze Jetpack extension development framework –36 capability leaks in more than 600 modules –10 overprivileged core modules –Results acknowledged by Mozilla Applicable to node.js, Harmony modules 25Rezwana Karim

Thank you 26 Rezwana Karim

Questions Rezwana Karim27

Sensitive resources usage Rezwana Karim28

Capability Usage Top 10 XPCOM interfaces 29Rezwana Karim

Suggestion Dynamic enforcement of Manifest –Prevent access of unrequested sensitive resources Deep freezing of exports object –Prevent leak through event-handlers 30Rezwana Karim

Template EntityTypeCapability fileSystemPtrObjectFile getFileSystemPtrFunctionFile Rezwana Karim31

Proof of concept example: Customize-shortcut const {Cc, Ci} = require("chrome"); let Preferences = { branches: {},... getBranch: function (name) { let branch = … return this. branches [name] = branch; },... }; exports. Preferences = Preferences ; 32

Modular approach Rezwana Karim 33 Break down extension into modules JavaScript modules –Implement a certain functionality –Self-contained –Isolated; communicate via module interfaces Limit vulnerability effect

Capability Usage Top 10 core modules 34Rezwana Karim

Datalog relations: points-to analysis 35Rezwana Karim

JavaScript statement processing 36Rezwana Karim

Inference Rules 37Rezwana Karim

Pre-processing(cont’d) Desugar JS construct –Destructuring assignment, let, const, lambda function Code simplification 38 CodeDesugared Code var {Cc,Ci} = require(“chrome”); var Cc = require(“chrome”).Cc; var Ci = require(“chrome”).Ci; CodeSimplified Code let branch = preferences-service;1”].getService(Ci.nsIPrefService).getBranch(name); let branch = MozPrefService().getBranch(name); Rezwana Karim

Capability flow in object hierarchy 39 a a x x y y p p z z ptsTo(v a, h a ) ptsTo(v y, h y ) ptsTo(v z, h z ) ptsTo(v p, h p ) ptsTo(v x, h x ) heapPtsTo(h y, z, h z ) heapPtsTo(h a, y, h y ) heapPtsTo(h y, p, h p ) var a ={ x : object, y:{ p: fileSystemPtr, z: object } isTainted(h p, file) isTainted(h y, file) isTainted(h a, file) Rezwana Karim store(v y, p, v p ) heapPtsTo(h a, x, h x )

Capability flow analysis using Datalog StatementExample CodeGenerated Facts OBJECT LITERAL a = { }ptsTo(v a, h a ) STOREv 1.f = v 2 store(v 1, f, v 2 ) 40Rezwana Karim Basic Rules heapPtsTo(H1, F, H2):-store(V 1, F, V 2 ), ptsTo(V1, H1), ptsTo(V 2, H 2 ) Taint Propagation isTainted(H1, P):-heapPtsTo(H1, F, H2 ), isTainted(H2, P) [Gatekeeper, Guarnieri et al., Usenix Security’09]

Capability flow in object hierarchy 41 a a x x y y p p z z ptsTo(v a, h a ) ptsTo(v y, h y ) ptsTo(v z, h z ) ptsTo(v p, h p ) ptsTo(v x, h x ) heapPtsTo(h y, z, h z ) heapPtsTo(h a, y, h y ) heapPtsTo(h y, p, h p ) var a ={ x : object, y:{ p: fileSystemPtr, z: object } isTainted(h p, file) isTainted(h y, file) isTainted(h a, file) Rezwana Karim store(v y, p, v p ) heapPtsTo(h a, x, h x )

JavaScript statement processing StatementExample CodeGenerated Facts OBJECT CONSTRUCTION v = new v 0 (v 1, v 2,..., v n )ptsTo(v, h fresh ) prototypeOf(h fresh, d) :- ptsTo(v0, h method ), heapPtsTo(h method, prototype, d) for z ∈ 1...n, generate actual(i, z, v z ) callRet(i, v) FUNCTION CALLv = v0(v this, v 1, v 2,..., v n ) ptsTo(v, h fresh ) for z ∈ 1...n, this, generate actual(i, z, v z ) callRet(i, v) 42Rezwana Karim