Presentation on theme: "Hulk: Eliciting Malicious Behavior in Browser Extensions"— Presentation transcript:
1 Hulk: Eliciting Malicious Behavior in Browser Extensions Alexandros Kapravelos◊, Chris Grier†*, Neha Chachra‡, Christopher Kruegel◊, Giovanni Vigna◊, Vern Paxson†*◊UC Santa Barbara, †UC Berkeley, ‡UC San Diego *International Computer Science Institute23rd USENIX Security Symposium (Aug., 2014)
2 Outline Introduction Background Architecture Results 2014/5/19OutlineIntroductionBackgroundArchitectureResultsProfiting from maliciousnessRecommendationsRelated work
3 2014/5/19IntroductionAll major web browsers today support broad extension ecosystems that allow third parties to install a wide range of modified behavior or additional functionality.Some browsers have online web stores to distribute extensions to users.In this paper, we examine extensions for Google Chrome that are designed with malicious intent.
5 Installing extensions 2014/5/19Installing extensionsExtensions can be installed via the official Chrome web store, by user manually, or sideloaded by third-party programs.Chrome version 25 (Feb.,2013) included changes to prevent silent installation of Chrome extensions, requiring user confirmation.Chrome version 35 (May, 2014) took further steps to prevent sideloading by requiring all installed extensions to be hosted in the Chrome Web Store.
6 Extension permissions 2014/5/19Extension permissionsChrome requires extensions to list the permissions needed to access the different parts of the extension API.webRequest: Allows the extension to "observe and analyze traffic and to intercept, block, or modify requests in- flight"
8 2014/5/19ArchitectureHulk dynamically loads extensions in a monitored environment and observes the interaction of extensions with the loaded web pages.Using a set of heuristics to identify potentially dangerous behavior, it labels extensions as malicious, suspicious, or benign.Automatically install extensions and instrument activity during web browsing using an instrumented browser.啟發法
9 2014/5/19URL extractionLook for URLs in the manifest, and search for URLs in the source code as well.Also, visit a set of popular websites which may targeted by the malicious plugin.
11 Event-based execution 2014/5/19Event-based executionHoneyPages will not trigger callbacks for network events that require special properties, such as a specific URL or HTTP header.By invoking all event callbacks that an extension registers in the chrome.webRequest API with mock event objects and pointing to a background HoneyPage, we can monitor changes extensions attempts to make.
13 2014/5/19Content scriptsBy intercepting all additional code introduced by the extension in the context of the visited page, we can monitor if the extension fetch remote scripts.disables static analysis
14 Network logging Request URLs may be computed in at runtime. 2014/5/19Network loggingRequest URLs may be computed in at runtime.We use a transparent proxy that intercepts all browser HTTP and DNS traffic to log the requests made during extension execution.
15 Detecting malicious behavior 2014/5/19Detecting malicious behaviorExtension API:Uninstalling other extensionsPreventing uninstallation of the current extension (blocking chrome://extensions)Manipulating HTTP headers by eemoving security-related HTTP header, such as Content-Security-Policy or X-Frame-Options is classified as malicious.To prevent uninstallation, malicious extensions interfere with tabs that point to the extension configuration page, chrome://extensions,either by replacing the URL with a different oneCleaners
17 Network level Request errors (suspicious). 2014/5/19Network levelRequest errors (suspicious).May be used for drive-by downloads.Modification of HTTP requests (malicious).Common seen on shopping-related extensions.Detect header modification by comparing packets received by the OS and by the browser.
18 Injected Content Analysis 2014/5/19Injected Content AnalysisThe injected script runs in the context of the visited page and thus has full access to its DOM tree.By using HoneyPages, we can understand the injected scripts’ intentions.For example, if the injected code looks for a form field with the name “password,” it is classified as malicious.
19 Results Two sources of extensions: 2014/5/19ResultsTwo sources of extensions:The official Chrome Web Store (totaling 47,940 extensions)Extensions sideloaded by binaries. (392 unique extensions)(Anubis)Hulk labeled 130 as malicious and 4,712 as suspicious.Benign extensions do not differ significantly from permissions requested by malicious/suspicious ones.
21 2014/5/19Permissions usedMost commonly used permissions:
22 2014/5/19Permissions used18,313 extensions that use host permissions to restrict on which pages the extension can use the privileged chrome.* API.Extensions typically request broad permissions using wildcards in URL patterns.
24 2014/5/19API callsTop 15 Chrome Extension API calls made during by extensions during the experiments.
26 2014/5/19Extension managementSeveral extensions on the Chrome Web Store prevent uninstallation.“HD Video Player” (7,173 users).“SmartScreen Video Plugin” (11,012 users).“No Tab Left Behind” (only 8 users)(false positive).
27 2014/5/19Code injectionMore than 3,000 extensions that dynamically introduced remotely-retrieved code either through script injections or by evoking eval.An extension named “Bang5TaoShopping assistant” (5.6M users) injects code into every visited page.
28 Profiting from maliciousness 2014/5/19Profiting from maliciousnessAd Manipulation:The addition of new ads as well as the replacement of existing ads or identifiers with the same size images.“SimilarSites Pro” (1.8M users), used obfuscated scripts to replace ads (728x90) in popular websites.Other similar scripts, all under a company called “SimilarGroup.”
29 Profiting from maliciousness 2014/5/19Profiting from maliciousnessAffiliate Fraud:Many major merchant web sites such as amazon.com, godaddy.com, and ebay.com run affiliate programs.Affiliate programs usually associate a cookie with the user’s browser.Malicious extensions do “cookie stuffing” — a technique that causes the user’s browser to visit the merchant URLs without the user clicking on affiliate URLs.“*Split Screen*” (52K users), sets the referrer header for requests.“Give as you Live” (11K users), however, is a charity campaign.
30 Profiting from maliciousness 2014/5/19Profiting from maliciousnessInformation theftOnline social network abuse:Extensions use existing authentication data to interact with online social networks.“WhasApp”, an extension spams Facebook and Tumblr, sideloaded by malware.
31 2014/5/19RecommendationsExtensions should not have the ability to manipulate browser configuration pages, such as chrome://extensions.Extensions should also not be allowed to uninstall other extensions.Extensions should not be allowed to remove HTTP security- related headers.Extensions should not have the ability to hook all keyboard events on a given site.
32 Limitations Hulk uses dynamic analysis for analyzing extensions. 2014/5/19LimitationsHulk uses dynamic analysis for analyzing extensions.Can not address cloaking that loads different code based on the client’s location or time.Can not observe behavior that depends on specific targets.Hulk’s HoneyPages do not currently support multistep querying of DOM elements.
33 Related work Anubis, malware analysis for unknown binaries. 2014/5/19Related workAnubis, malware analysis for unknown binaries.Further work has examined the success of the Chrome extension architecture at preventing damage and the ability of developers to correctly request privileges for their extensions.Current permission system does not prevent an overtly privileged malicious extension from executing malicious code.Adware vendor may purchase an extension, update it with malicious one.