Presentation is loading. Please wait.

Presentation is loading. Please wait.

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

Published byCamron Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN."— Presentation transcript:

1 VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN

2 ROADMAP 1.Background 2.Threat Model 3.Static Information Flow Analysis 4.Evaluation 5.Related Works

3 EXTENSIONS Extensions Vs. Plugins 1.Plugins are complicated, loadable modules. Flash and Java are two examples 2.Extensions are written mostly in JavaScript. They act as part of the browser and they have wider access privileges than JS-in-a-webpage 150 million extensions are in use

4 EXTENSIONS ARCHITECTURE IN FIREFOX

5 EXTENSIONS ARE NOT SECURE 1.Developers: 1.Many developers write extensions because of hobbies 2.Likely to write vulnerable extensions 3.Don’t have time or interests to update their extensions 2.Reviewers: 1.Not possible to understand all the extensions 2.Don’t need to have great knowledge about extensions or security 3.Follow guidelines for what is not acceptable: 1.The guidelines focus on finding malicious extensions 2.Vulnerable extensions can quiet easily slip through.

6 EXAMPLES Real Extension Vulnerabilities by Roberto Suggi Liverani and Nick Freeman http://www.securitytube.net/video/3492

7 SKYPE(<=3.8.0.188) ISSUE: Automatic arbitory

8

9

10

11

12

13

14

15

16

17 Mozilla has a team of volunteers who help vet extensions manually. Trusted add-on can’t always be trusted Vietnamese Language Pack VET EXTENSION

18 THREAT MODEL GOAL: finding security vulnerabilities in browser extensions ASSUMPTIONS: 1. Developers are not malicious 2. Extensions are not obfuscated

19 POINTS OF ATTACK 1.eval function 2.InnerHTML 3.EvalInSandBox 4.wrappedJSObject

20 STATIC INFORMATION FLOW ANALYSIS 1. Basic Goals Source Sink Find Suspicious Flow Pattern Find Suspicious Flow Pattern

21 SUSPICIOUS FLOW PATTERN 1.Resource Description Framework (RDF) data to InnerHTML 2.Content document data to eval 3.Content document data to innerHTML 4.evalInSandbox return objects used improperly by code running with chrome privileges 5.wrappedJSObject return object used improperly by code running with vulnerabilities The five flows don’t always result in a vulnerability and they are not an exhaustive list of all possible extension security bugs.

22 STATIC INFORMATION FLOW ANALYSIS 1.Static Vs. Dynamic 1.Static: efficient and Complete 2.Dynamic: accurate 2.Context Sensitive and Flow Sensitive Abstract Heap is Required!

23 ANALYSIS DETAILS 1.Variable Access 1.Check current scope (heap) 2.Check global scope (heap) 3.Create a new node and add it to global scope 4.Ignore prototype 5.Return with dependencies

24 ANALYSIS DETAILS 2.Binary Operators 1.Return the union of dependencies of both expressions 3.Object 1.Create heap locations for each of its properties 2.Create a node for the object 3.Link the object node to its property nodes

25 ANALYSIS DETAILS 4.Function 1.Create heap location for each of its properties 2.Create heap location for each of the arguments 3.Create heap location for return value 4.Create heap location for itself 5.A function call executes all the argument parameters and updates corresponding nodes 6.If a function is not defined, the dependencies of the return values are the union of dependencies of all the arguments 7.Does a function call execute the statements again?

26 ANALYSIS DETAILS 5.Variable Declaration 1.If the variable doesn’t exist in current scope, create a new node. 2.Otherwise, replace the current one. 6.Assignment 1.Evaluate left side expressions and right side expressions 2.Replace the node on the left with the one on the right

27 ANALYSIS DETAILS 7.Condition Both IF and ELSE branches needs to be evaluated. 8.While While body needs to be evaluated till reaching a fixed point

28 ANALYSIS DETAILS 9. EVAL if the argument is constant string, the string will be inserted into the codes and analyzed as codes. If the strings are not statically known, they are ignored. VEX is unsound

29 ANALYSIS DETAILS 10.Object properties accessed in the form of associative arrays. In JavaScript, objects are treated as associative arrays VEX doesn’t know which property is set. Whenever a property is created, its dependencies are added to the dependencies of the node.

30 EVALUATION Download a total of 2452 extensions, on an average, VEX took only 15.5 seconds per extension

31 SUCCESSFUL ATTACKS Wikipedia, Toolbar, up to version 0.5.9

32 SUCCESSFUL ATTACKS Fizzle versions 0.5, 0.5.1, 0.5.2

33 SUCCESSFUL ATTACKS Beatnik Version 1.2

34 FLOWS THAT DO NOT RESULT IN ATTACKS 1.Source is trusted (what about XSS?) 2.Sanitized input (Complete?) 3.Non-chrome sinks (less privileges)

35 RELATED WORKS 1.Plugin security 2.Dynamic information flow analysis for browser extensions 3.Flow-insensitive static information flow methods for JavaScript

Download ppt "VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.

Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.
Programming Languages and Paradigms

Programming Languages and Paradigms
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
Javascript It’s not JAVA. What do these all have in common?

Javascript It’s not JAVA. What do these all have in common?
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Sruthi Bandhakavi Samuel T. King P. Madhusudan Marianne Winslett University of Illinois at Urbana Champaign

Sruthi Bandhakavi Samuel T. King P. Madhusudan Marianne Winslett University of Illinois at Urbana Champaign
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Tutorial 10 Programming with JavaScript

Tutorial 10 Programming with JavaScript
Run-Time Storage Organization

Run-Time Storage Organization
1 Pertemuan 20 Run-Time Environment Matakuliah: T0174 / Teknik Kompilasi Tahun: 2005 Versi: 1/6.

1 Pertemuan 20 Run-Time Environment Matakuliah: T0174 / Teknik Kompilasi Tahun: 2005 Versi: 1/6.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
VEX: Vetting Browser Extensions For Security Vulnerabilities Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett University of Illinois.

VEX: Vetting Browser Extensions For Security Vulnerabilities Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett University of Illinois.

Similar presentations

Ads by Google