Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan.

Published byMelvin Mills Modified over 9 years ago

Similar presentations

Presentation on theme: "An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan."— Presentation transcript:

1 An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan Indiana University 6/1/2012 ECOOP’12

2 Browser Extensions Enhance browser functionality Customize to meet user need Unrestricted access to privileged resource Rezwana Karim2

3 Problems in legacy extensions 3Rezwana Karim www.evil.com Insecure Programming Practice  Exploitable vulnerability [Barth et al., NDSS‘10] [Bhandhakavi et al., Usenix Security‘10]

4 Jetpack Mozilla’s new extension development technology Extension structured as a collection of modules Recommends –Principle of Least Authority (POLA) –Privilege separation Upfront permission specification Goal : Limit ill effects of vulnerable extensions 4Rezwana Karim

5 Structure of Weather extension in Jetpack Rezwana Karim5 Sensitive resources Core modules File Network Main Extension modules

6 Modularity does not guarantee security 6 File Network Main Rezwana Karim

7 Analysis of Jetpack framework Goal: Verifying conformance to security principles in Jetpack modules –Focus on adherence to POLA and privilege separation Beacon: Capability flow analysis tool –36 programming bugs in real-world extensions –10 instances of POLA violation –Results acknowledged by Mozilla 7Rezwana Karim

8 Module Interaction 8 var file = require(“file”); file.readFile (“zipCodeFile”);... Main var fileSystemPtr = accessToFileSystem(); exports.readFile = function readFile(fileName){ //read the content of fileName... // return the content... }; File Rezwana Karim

9 Capabilities Rezwana Karim 9 Privilege to access sensitive resources Bookmark, cookies, file, password, network etc. Ways to acquire var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; File var fileSystemPtr = require(“File”).fileSystemPtr; Main

10 Capability leaks Inadvertent leaks of pointers to privileged resources –Direct references to privileged resources –Functions returning references to privileged resources 10Rezwana Karim var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; exports.getFileSystem = function(){ return fileSystemPtr; } File

11 Detecting capability leaks 11 File Network Main Rezwana Karim

12 Capability flow analysis Static analysis of JavaScript modules Information flow –Taint: capability –Source : privileged resource access –Sink: exports interface Call graph based Context and Flow insensitive –Static Single Assignment (SSA) representation gives a degree of flow-sensitivity 12Rezwana Karim

13 Capability flow in object hierarchy 13 a a x x y y p p z z Rezwana Karim var a = { x : object, y : { p : fileSystemPtr, z : object }

14 Implementation of Beacon 14 Call graph generator SSA analyzer Inference engine SSA format Imported module summaries Imported module summaries Rules for JS to Datalog translation Taint inference rules Initial facts Points-to rules Heap allocation Rezwana Karim Capability analysis report 2.8k lines of Java, Datalog Tools Used : WALA, DES

15 Capability flow in object hierarchy 15 a a x x y y p p z z ptsTo(v a, h a ) ptsTo(v y, h y ) ptsTo(v z, h z ) ptsTo(v p, h p ) ptsTo(v x, h x ) heapPtsTo(h y, z, h z ) heapPtsTo(h a, y, h y ) heapPtsTo(h y, p, h p ) var a ={ x : object, y:{ p: fileSystemPtr, z: object } isTainted(h p, file) isTainted(h y, file) isTainted(h a, file) Rezwana Karim store(v y, p, v p ) heapPtsTo(h a, x, h x ) [Gatekeeper, Guarnieri et al., Usenix Security’09]

16 Evaluation goals Evaluate Jetpack architecture, adherence to two principles –Privilege separation –Principle of least authority (POLA) Identify modules –Capability leaks –Violate privilege separation –Overprivileged; violate POLA 16Rezwana Karim

17 Evaluation Over 600 Jetpack modules –77 core modules –Modules from 359 Jetpack extensions –68k lines of JavaScript code Performance –On average, couple of minutes, 200 MB –tab-browser.js (~25 KB) 30mins and 243MB 17Rezwana Karim

18 Capability leak 36 Leaks in over 600 modules –12 in 4 core modules –24 in extension modules 18 Core ModulesCapabilityLeak MechanismEssential tabs/utilsActive tab, browser window and tab container Function returnyes window-utilsBrowser windowFunction returnyes xhrReference to the XMLHttpRequest object Property of this object no xpcomEntire XPCOM utility module Exported propertyno Rezwana Karim

19 Capability leaks: extension module 19Rezwana Karim 24 leaks in 359 extensions ExtensionCapabilityCount Bookmarks Deiconizer Sensitive resource service module 1 Browser Sign In Window, document 2 Customizable Shortcut Preference, DOM, window 3 Firefox Share Preference, window, database, observer database, stream, network 10 Most Recent Tab Preference, window 2 Open Web Apps Preference, window, database, observer 4 Recall Monkey IOService, favIcon 2 None of the leaks are required for functionality

20 Accuracy: Capability leak No False Positive May miss some leaks –Dynamic features Iterator, generator –Unsupported JS constructs for..each, yield, case statement over a variable –Unmodeled JS constructs eval, with –Latent bugs 20Rezwana Karim

21 Violation of privilege separation 21Rezwana Karim 26 modules in 19 extensions

22 Accuracy: Capability usage 53 extensions directly use sensitive resources Beacon detects 46 out of 53 Missed 7 are in event-handling code 22Rezwana Karim

23 Violation of POLA Beacon generates 18 warnings, 7 false positive 23 Core modulePrivilegeSeverity fileDirectory serviceModerate hidden-frameTimerNone tab-browserErrorsNone content/content-proxyChromeCritical content/loaderFileModerate content/workerChromeCritical keyboard/utilsChromeCritical clipboardErrorsNone widgetChromeCritical windowsXPCOM, apiUtilsCritical Rezwana Karim Violation instances are fixed by Mozilla

24 Related Work Information flow analysis of extension –SABRE [Dhawan et al., ACSAC’09] –VEX [Bhandhakavi et al., Usenix Security‘10] Static analysis of JavaScript –Gatekeeper [Guarnieri et al., Usenix Security’09] –ENCAP [Taly et al., Oakland‘11] Study of Chrome extension architecture –Chrome extension analysis [Yan et al., NDSS’12] 24Rezwana Karim

25 Summary Beacon, a system for capability flow analysis of JavaScript modules Analyze Jetpack extension development framework –36 capability leaks in more than 600 modules –10 overprivileged core modules –Results acknowledged by Mozilla Applicable to node.js, Harmony modules 25Rezwana Karim

26 Thank you 26 Rezwana Karim

27 Questions Rezwana Karim27

28 Sensitive resources usage Rezwana Karim28

29 Capability Usage Top 10 XPCOM interfaces 29Rezwana Karim

30 Suggestion Dynamic enforcement of Manifest –Prevent access of unrequested sensitive resources Deep freezing of exports object –Prevent leak through event-handlers 30Rezwana Karim

31 Template EntityTypeCapability fileSystemPtrObjectFile getFileSystemPtrFunctionFile Rezwana Karim31

32 Proof of concept example: Customize-shortcut const {Cc, Ci} = require("chrome"); let Preferences = { branches: {},... getBranch: function (name) { let branch = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefService).getBranch(name); … return this. branches [name] = branch; },... }; exports. Preferences = Preferences ; 32

33 Modular approach Rezwana Karim 33 Break down extension into modules JavaScript modules –Implement a certain functionality –Self-contained –Isolated; communicate via module interfaces Limit vulnerability effect

34 Capability Usage Top 10 core modules 34Rezwana Karim

35 Datalog relations: points-to analysis 35Rezwana Karim

36 JavaScript statement processing 36Rezwana Karim

37 Inference Rules 37Rezwana Karim

38 Pre-processing(cont’d) Desugar JS construct –Destructuring assignment, let, const, lambda function Code simplification 38 CodeDesugared Code var {Cc,Ci} = require(“chrome”); var Cc = require(“chrome”).Cc; var Ci = require(“chrome”).Ci; CodeSimplified Code let branch = Cc["@mozilla.org/ preferences-service;1”].getService(Ci.nsIPrefService).getBranch(name); let branch = MozPrefService().getBranch(name); Rezwana Karim

39 Capability flow in object hierarchy 39 a a x x y y p p z z ptsTo(v a, h a ) ptsTo(v y, h y ) ptsTo(v z, h z ) ptsTo(v p, h p ) ptsTo(v x, h x ) heapPtsTo(h y, z, h z ) heapPtsTo(h a, y, h y ) heapPtsTo(h y, p, h p ) var a ={ x : object, y:{ p: fileSystemPtr, z: object } isTainted(h p, file) isTainted(h y, file) isTainted(h a, file) Rezwana Karim store(v y, p, v p ) heapPtsTo(h a, x, h x )

40 Capability flow analysis using Datalog StatementExample CodeGenerated Facts OBJECT LITERAL a = { }ptsTo(v a, h a ) STOREv 1.f = v 2 store(v 1, f, v 2 ) 40Rezwana Karim Basic Rules heapPtsTo(H1, F, H2):-store(V 1, F, V 2 ), ptsTo(V1, H1), ptsTo(V 2, H 2 ) Taint Propagation isTainted(H1, P):-heapPtsTo(H1, F, H2 ), isTainted(H2, P) [Gatekeeper, Guarnieri et al., Usenix Security’09]

41 Capability flow in object hierarchy 41 a a x x y y p p z z ptsTo(v a, h a ) ptsTo(v y, h y ) ptsTo(v z, h z ) ptsTo(v p, h p ) ptsTo(v x, h x ) heapPtsTo(h y, z, h z ) heapPtsTo(h a, y, h y ) heapPtsTo(h y, p, h p ) var a ={ x : object, y:{ p: fileSystemPtr, z: object } isTainted(h p, file) isTainted(h y, file) isTainted(h a, file) Rezwana Karim store(v y, p, v p ) heapPtsTo(h a, x, h x )

42 JavaScript statement processing StatementExample CodeGenerated Facts OBJECT CONSTRUCTION v = new v 0 (v 1, v 2,..., v n )ptsTo(v, h fresh ) prototypeOf(h fresh, d) :- ptsTo(v0, h method ), heapPtsTo(h method, prototype, d) for z ∈ 1...n, generate actual(i, z, v z ) callRet(i, v) FUNCTION CALLv = v0(v this, v 1, v 2,..., v n ) ptsTo(v, h fresh ) for z ∈ 1...n, this, generate actual(i, z, v z ) callRet(i, v) 42Rezwana Karim

Download ppt "An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.
October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha

October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, Vinod Ganapathy Computer Science, Rutgers University Mohan Dhawan IBM.

Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, Vinod Ganapathy Computer Science, Rutgers University Mohan Dhawan IBM.
Sruthi Bandhakavi Samuel T. King P. Madhusudan Marianne Winslett University of Illinois at Urbana Champaign

Sruthi Bandhakavi Samuel T. King P. Madhusudan Marianne Winslett University of Illinois at Urbana Champaign
Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Ch 3 System Development Environment

Ch 3 System Development Environment
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
1 / 28 Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications ESEC/FSE 2011 Anders Møller, Magnus Madsen and Simon Holm.

1 / 28 Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications ESEC/FSE 2011 Anders Møller, Magnus Madsen and Simon Holm.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Similar presentations

Ads by Google