1. ICE Interposing on Chrome Extensions Ryan Lopopolo Edgar Salazar William Ung 6.858 Final Project

3. Problem: Extensions Accepting permissions is an all or nothing affair. Users have no opportunity to intervene. Ask for too broad permissions. Use private information maliciously. o Sensitive information is protected by chrome.* APIs o Access to HTTPS pages o Steal history for advertisement purposes o Get cookies or other private data for other uses

4. Threat Model Malicious developers They can trick users into installing/running their extensions They can steal secret data without users knowledge Malicious extensions can access network Users will agree to the permissions without reading them o Malicious extensions can have any permission they want

5. ICE Sandbox Chrome Extensions Interpose on Permissions o Bookmarks o Cookies o History o Management Whitelist/Blacklist URLs Shell Interface lopopolo.github.com/ice/

6. Interesting Things Packaging Chrome extensions is not simple o Needs to be signed in CRX format when packaging slimit is not bug-free. It barfs on raw JSON The management permission allows extensions to inspect other extensions. This forced us to preserve the original manifest in case the extension requests info about itself

7. Results Extensions can run with reduced permissions and not break Extensions can still figure out if they're sandboxed by inspecting results from the spoofer Many extensions cannot be rewritten because they include remote scripts (commonly Google-hosted jQuery) Blacklisting function calls in JavaScript is not easy o We currently do not disallow eval, setTimeout, etc. because they can be accessed though:  global namespace  window.eval / window["eval"]  window.top.eval / window["top"].eval / etc. o To blacklist these entry points while allowing other legitimate uses of window, we have to reimplement chrome's window object.