Presentation is loading. Please wait.

Presentation is loading. Please wait.

Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, Vinod Ganapathy Computer Science, Rutgers University Mohan Dhawan IBM.

Similar presentations


Presentation on theme: "Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, Vinod Ganapathy Computer Science, Rutgers University Mohan Dhawan IBM."— Presentation transcript:

1 Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, Vinod Ganapathy Computer Science, Rutgers University Mohan Dhawan IBM Research, India ECOOP’14 4/29/2015

2 Browser Extension Enhance browser functionality Customize to meet user need Hugely popular, ~9000 extensions –265 million downloads, ~20 million daily usage for AdblockPlus Unrestricted access to privileged resources 2Rezwana Karim

3 Problems in legacy extensions 3 www.evil.com Insecure Programming Practice  Exploitable vulnerability [Barth et al., NDSS‘10] [bhandhakavi et al., Usenix Security‘10] Rezwana Karim

4 Legacy extension architecture 4Rezwana Karim Web page Extension Code (Content Script + Chrome Script) Interact with Web pages Access sensitive resource Chrome: JavaScript code executing within the extension Content: JavaScript code on the web page Sensitive resources

5 Modern extension architecture 5Rezwana Karim Content Proxy Web page Content Scripts Content Process Chrome Process Chrome Scripts Invoke content scripts Load content scripts Send/Receive JSON data from chrome scripts Communicate with content scripts Interact with Web pages Access sensitive resources Sensitive resources Privilege Separation Principle of least authority (POLA) manifest

6 Modern extension architecture (cont’d) 6 Goal –Limit ill effect of vulnerability –Ease development process Example –Mozilla’s Jetpack for Firefox –Google Chrome extension architecture Rezwana Karim

7 Developer’s expertise affect extension security 7 Insecure programming practice can lead to vulnerabilities in modern extension File Network Main Rezwana Karim [Karim et al., ECOOP‘12]

8 Problem Legacy extension is unsafe –~9000 popular legacy extensions Modern extension –Enhanced security guarantee –Compatible with future browser architecture Rewrite from scratch –Not preserving the investment in legacy extension Manual transformation –Time consuming, labor-intensive –Deep and clear understanding of differences between two programming models –Developing secure, modern extension demands developer’s expertise 8Rezwana Karim

9 Morpheus Automated transformation toolchain –Static dataflow analysis of legacy code –Rewrite code to conform to the structural constraints of modern extensions Goal –Improve security by adhering to security principles in Jetpack modules POLA Privilege separation –Preserve functionality and UI Successfully ported 52 real-world legacy extensions to modern extension framework 9Rezwana Karim

10 Design challenges Privilege Separation Principle of Least Authority(POLA) Policy Enforcement –Fine-grained access control –Prevent/ Block potentially dangerous information flow Preserve UI

11 Challenge 1: Privilege Separation Chrome/content partition –Object context/privilege may vary within a single statement –Synchronous vs. asynchronous communication Partition monolithic code into isolated JavaScript(JS) modules –Increase the minimum number of modules to be compromised –Minimize privilege-variation in a module –Handle globals resulted from refactoring 11Rezwana Karim

12 Chrome/content partition: solution 12 Legacy Modern Rezwana Karim Static dataflow analysis to identify object’s context Rewrite property access with accessor Opaque identifiers for shared objects Modified content proxy for emulating synchronous communication over asynchronous channel.getProperty(‘contentDocument’) gBrowser contentDocument Content Proxy Chrome Content Asynchronous communication gBrowser.contentDocument

13 Partition code into modules Core modules –For each privileged browser API –Encapsulate privileged object User modules –Extracted from legacy code –Ideal: privilege-based partition Complex analysis –Heuristic: Group related functionality Capture developer’s intent Object ownership GlobalGET/GlobalSET construct for accessing globals 13 Analyze legacy code Identify user module and its usage Rewrite references Wrap sensitive resource access to use core modules Rezwana Karim

14 Jetpack architecture in Morpheus 14Rezwana Karim Content Proxy Web page Content Scripts Content Process Chrome Process Chrome Scripts Invoke content scripts Load content scripts Send/Receive JSON data from chrome scripts Communicate with content scripts Interact with Web pages Access sensitive resources Sensitive resources Core module wraps access to sensitive resources manifest Policy Checker Core Modules

15 Challenge 2: Conformance to POLA Only required modules are imported No reference leak across module interface –Encapsulate privileged object –Exposes only accessor methods; returns Primitive values An instance of a module Generate Manifest

16 Module template... getProperty: function() { var propertyName = arguments[0]; var violated = policyChecker.check(, propertyName); if(violated) return {}; var ref = table.getReference(this.id); switch(propertyName) { case ’ ’: var retval = ref[propertyName]; var newref = ; table.setReference(newref.id, retval); return newref;... /* more case statements */ default: return null; } }... 16Rezwana Karim

17 Rewriting rules Rule R1: import module ξ is sensitive-resource-access expression m := get-module-name(ξ) ξ′ := require (’m’) Rule R2: method invocation with invoke ξ is method invoke expression in AST T o := object(ξ), o is sensitive OR o is in content μ := method(exp), α := arguments(exp) ξ′ := o.invoke(’μ’, α) 17Rezwana Karim

18 Rewriting rules (cont’d) Rule R3: Property access with getProperty, setProperty ξ is property-access expression in AST T o := object(ξ), o is sensitive OR o is in content prop := property(ξ) property-read(T, ξ) ξ′:= o.getProperty(’p’) property-write(T, ξ) v := value-to-store(T, ξ) ξ′:= o.setProperty(’p’, v) 18Rezwana Karim

19 Rewriting rules (cont’d) Rule R4: Global Access with GlobalGET, GlobalSET ξ is global-access expression in AST T Global-read(T, ξ) ξ′:= GlobaGET (’ξ’) Global-write(T, ξ) v := value-to-store(T, ξ) ξ′:= GlobaSET (’ξ’, v) 19Rezwana Karim

20 Core module usage 20Rezwana Karim file module var file = fileSystemsPtr; var _module_ = { invoke: function(methodName, args){... //switch case },...} exports.module = _module_; main.js var data = fileSystemPtr.read(‘zip.txt’); require(‘file’).module. invoke(‘read’, ‘zip.txt’); Identify sensitive resource usage Replace with core module

21 Extracting user module Identifies and groups related functionality into a single module 21Rezwana Karim main.js function readZipCodeFromFile(location){...} var Weather = {... getWeatherData:function(zipcode){... return Weather.requestDataFromServe(zipcode); }, requestDataFromServer: function(zipcode){...}, } function showWeather(){... var temperature = Weather.getWeatherData(zipcode);... } var Weather = require(‘user/Weather’).module; GlobalSET(’Weather’, Weather); Weather.invoke( ‘getWeatherData’, zipcode);

22 Extracted user module 22 Weather module var _object_ = {... getWeatherData: function(zipcode){ return GlobalGET(’Weather’).invoke (’requestDataFromServer’, zipcode); }, requestDataFromServer: function(sendData){... } exports.module = wrap(_object_); //wrap() returns object with same interface as in shown in module template Rezwana Karim

23 Challenge 3: Policy checker 23Rezwana Karim CHECK Module: m Property: p ArgList: α α[‘file-path’] allowed? α[‘url’] allowed? violating source(m’, p’, α’) already accessed? m = ‘file’ p = ‘read’ m = ‘network’ p = ‘open’ (m, p, α) is sink Yes No

24 Preserve UI Analyzes legacy extension’s XUL overlay file, resource URI, CSS, icons Generates JS code to dynamically modify the browser’s UI 24Rezwana Karim ... var sb = document. getElemenById(‘sb’); sb[“onclick”]=function(){ alert(‘Hi’); } Legacy XUL code Generated JS code

25 Security properties ProviderProperty P1Isolated Jetpack modules P2JetpackThe set of privileges a module depends on imported (i) user modules (ii) core modules and (iii) direct access to sensitive resource P3Module privilege is fixed at runtime P4Modules lie in chrome space and separated by process from Web page content 25 Limit vulnerability effect only to compromised module Increases the minimum number of modules to be compromised Rezwana Karim

26 Security properties(cont’d) ProviderProperty P5Only core module can directly access a sensitive resource P6Each core module is limited to encapsulates reference to only one sensitive resource P7MorpheusCore modules can not import any user module P8Each module exports only an opaque identifier and accessor methods P9 Reference to the sensitive objects are stored within a designated module P10Policy checker Access to a particular sensitive resource by a core module is mediated by security policy 26Rezwana Karim

27 Module level privilege computation Let, P(m) : the set of privileges that can be accessed by a module m m → x : module m has direct access to sensitive resource x m i → m j : module m i imports module m j U: set of user modules m u in an extension, C: set of core modules m c in an extension and U ∩ C = ϕ LP(m u ) : leaked privileges from user module m u Core module User module 27Rezwana Karim P(m) := { P(x) | m → x } U P(m) := { P(m c ) | m→m c } P(m) := { P(x) | m → x} U { LP(m u ) | m→m u } U { P(m c ) | m→m c } { P(m c ) | m→m c }

28 Security analysis of transformed DisplayWeather extension 28 File Network Weather Main Sensitive resources Policy Checker Rezwana Karim network file network file Login Manager password password.txt

29 Implementation 29Rezwana Karim 13400 lines of JavaScript(JS) 10,500 lines implementing 100 core modules 380 lines of Shell script for automation Tools Used : node.js, doctorJs, narcissus

30 Evaluation Goals –Correctness of the transformation –Conformance to the POLA –Effectiveness of user module extraction –Effectiveness of policy-checker Dataset –Extensions developed using JavaScript, HTML, XUL, CSS –52 Legacy extensions: 50 real-world, 2 synthetic 30Rezwana Karim

31 Correctness of transformation 31Rezwana Karim Exercised advertised functionality –Installed the Jetpack extension –Observed the results of interaction with the extension’s UI All transformed (Jetpack) extensions retains advertised functionality

32 Conformation to POLA Violation of POLA if: Module a leaks references to privileged objects Module b imports module a Module b becomes more privileged and violates POLA Used Beacon to verify that no module leak reference to privileged objects 32 [Karim et al., ECOOP‘12] Rezwana Karim

33 Effectiveness of user module extraction 33Rezwana Karim Privilege separation in user modules Number of Core Modules

34 Modules accessing multiple categories of core modules 34Rezwana Karim Categories I : Application II: Browser III: DOM IV: I/O V: Security VI: Misc.

35 Runtime policy checking PolicyGeneric# extensions Contact only specified remote serverNo3 Access only files in profile directory as advertisedNo1 Cannot access preference branch other than its own Yes2 Cannot contact server if the extension has already accessed file system Yes1 Cannot contact server if the extension has already accessed LoginManager Yes1 Cannot contact server if the extension has access browsing history Yes1 Cannot contact server if the extension has access browser cache Yes2 35

36 Summary Thousands of popular extensions built on Legacy extension architecture are unsafe Modern extension architecture enhances security Manual transformation is tedious, error-prone, requires deep knowledge Morpheus, an automated toolchain –Systematically transforms legacy extension code into JavaScript modules that satisfy the security principle –Introduces a policy checker framework –Successfully ported 52 popular legacy extensions 36Rezwana Karim

37 Thank you rkarim@cs.rutgers.edu

38 Related work Information flow analysis of extension –SABRE [Dhawan et al., ACSAC’09] –VEX [Bhandhakavi et al., Usenix Security‘10] Static analysis of JavaScript –Gatekeeper [Guarnieri et al., Usenix Security’09] –ENCAP [Taly et al., Oakland‘11] Study of Chrome extension architecture –Chrome extension analysis [Yan et al., NDSS’12] Runtime Policy enforcement –Sentinel [Onarliuglu et al., DIMVA’13] –Malware extensions [Louw et al., Journal of Computer Virology’08] Privilege Separation –Privtrans [Brumley et al., Usenix Security’04] –Swift [Chong et al., SigOPS OP. Sys. Rev.] 38 Rezwana Karim

39 Transforming legacy code 39 Node n in AST Expression ξ Rewrite with ‘require’ o := object(ξ) o is sensitive OR o is in content Rewrite with ‘getProperty’/ ’setProperty’ o := object(ξ) o is sensitive OR o is in content Rewrite with ‘invoke’ Rewrite with ‘require’ Extract User module Rewrite with ‘GlobalGET’ / ‘GlobalSET’ Sensitive resource invoke Property access Method invoke Object Literal Global access Rezwana Karim

40 Future directions 40Rezwana Karim Performance optimization of transformed extension Code maintenance and improve readability Verifying program transformation Consider access to sensitive resources in modules construction Use modules provided by Jetpack framework

41 Legacy vs modern extension: Architectural differences LegacyJetpack Unified JavaScript HeapCollection of isolated modules Chrome and content in same heapChrome and content in separate process Synchronous communicationAsynchronous communication Directly access any sensitive resourceExplicitly ask for privilege to access sensitive resource and import concerned module XML User Interface Language (XUL) based UI No XUL, UI modification done in JavaScript 41Rezwana Karim Chrome: JavaScript code executing within the extension Content: JavaScript code on the web page

42 Module level privilege computation Let, P(m) : the set of privileges that can be accessed by a module m m → x : module m has direct access to sensitive resource x m i → m j : module m i imports module m j U: set of user modules m u in an extension, C: set of core modules m c in an extension and U ∩ C = ϕ LP(m u ) : leaked privileges from user module m u P(m) := { P(x) | m → x} U { LP(m u ) | m→m u } U { P(m c ) | m→m c } 42Rezwana Karim

43 Core module privilege P5: Only core module can directly access a sensitive resource P6: Each module exports only an opaque identifier and accessor methods P7: Core modules can not import any user module P9: Reference to the sensitive objects are stored within a designated module 43 P(m) := Rezwana Karim { P(x) | m → x } { LP(m u ) | m→m u } U { P(m c ) | m→m c } U { P(x) | m → x } x: sensitive resource m u: user module m c: is core module

44 User module privilege P5: Only core module can directly access a sensitive resource P8: Each module exports only an opaque identifier and accessor methods 44 P(m) := { P(x) | m → x } { LP(m u ) | m→m u } U { P(m c ) | m→m c } U Rezwana Karim x: sensitive resource m u: user module m c: is core module


Download ppt "Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, Vinod Ganapathy Computer Science, Rutgers University Mohan Dhawan IBM."

Similar presentations


Ads by Google