Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University.

Similar presentations

Presentation on theme: "Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University."— Presentation transcript:

1 Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University

2 JavaScript-based Extensions (JSEs) Modern browsers support extensions – JavaScript-based Extensions Hugely popular – 1.5 bn JSEs downloaded, 150 - 190 mn used daily [Mozilla Add-ons Statistics Dashboard]

3 JSEs: A Security Risk Unrestricted access to system resources Hard to detect malicious code Inadequate sandboxing of JSE actions: JSEs execute with the full privileges of the browser Lack of good development and debugging tools for JSE Sensitive Malicious JSEs can cause loss of sensitive data Vulnerable JSEs can be exploited by remote attacker Malicious JSE Vulnerable JSE Sensitive

4 Outline Introduction Motivating Example Solution Evaluation Conclusion

5 GreaseMonkey Highly popular Firefox extension – nearly 3 million active daily users [Mozilla Add-ons Statistics Dashboard] Exports a set of APIs for users to customize and program the way web pages look and function

6 GreaseMonkey/Firefox Vulnerability Alice Sensitive Exploited JSEs can lead to disclosure of confidential data Firefox with GreaseMonkey GreaseMonkey

7 Proof-of-Concept Attack: Just 20 lines

8 GreaseMonkey / Firefox Vulnerability Firefox Bug – watch allows scripts to register code to be executed when a property on some other object is assigned. watching the window object for the point at which APIs are added, a malicious script can use those functions at the moment they are attached. GreaseMonkey Solution – Sandbox prevents scripts on webpages to access APIs User scripts can change the properties of an object without any JavaScript on the web page being able to see it

9 Firefox Sniffer (FFsniFF) – A Malicious JSE Sniffs all form fields Emails them to the attacker ******** Submit to the website Firefox with FFsniFF

10 Outline Introduction Motivating Example Solution Evaluation Conclusion

11 Prior Work Access control to guard against JSE behavior – Ter-Louw et al. (Journal of Virology, 2008) – Hallaraker and Vigna (ICECCS, 2005) Coarse grained → false positives and negatives Data Cookies

12 Recent related work Google Chrome extension security model – Aims to protect against vulnerable extensions Two key principles: – Separation of duty: Split an extension into multiple components, based on functionality – Least privilege: Give each component only the access rights needed to achieve its task New extension model: So extensions need to be written from scratch

13 Solving the GreaseMonkey Problem Alice Sensitive 1.Mark data as sensitive 2.Take action when sensitive data is sent out Firefox with GreaseMonkey GreaseMonkey

14 Our Solution Security Architecture for Browser Extensions (Sabre) – Attach security labels with each JavaScript object – Track the propagation of these labels – Take action when a sensitive object is externalized Enhance browser with JavaScript information flow analysis

15 Security Labels Sensitivity Level Provenance File System User Interface Network File System HIGH JSE Sabre Information flows from sources to sinks.

16 Sources

17 Sinks Obtained sources and sinks from Netscape’s JavaScript data tainting project [circa 1998] And added some of our own

18 Challenges in Real JSEs 1.Cross - Domain Flows 2.Benign Flows 3.Provenance 4.Implicit Flows

19 Challenge 1: Cross – Domain Flows Necko User Interface XPConnect XPCOM DOM Network Engine User Interface Extension Rendering Engine Inter-Component Communication JavaScript Engine DOM Persistent Data JavaScript in a JSE can interact with other browser sub- systems var cookieMgr = Components.classes.[“;1”]. getService(Components.interfaces.nsICookieManager); cookies.txt

20 var cookieMgr = Components.classes.[“;1”]. getService(Components.interfaces.nsICookieManager); Problem : Label propagation for objects and properties not managed by JavaScript Solution : Assign sensitivity label of component to JavaScript objects – JavaScript can interact and store data in the DOM Modify the DOM to store security labels also Challenge 1: Cross – Domain Flows (Object Access)

21 Challenge 1: Cross – Domain Flows (Method Access) sis.init(is); // initializes a nsIScriptableInput object // using a nsIInputStream object Problem : Label propagation across methods not managed by JavaScript Solution : Implement function summaries to specify label propagation rules – Sabre supports 127 cross-domain function models

22 Challenge 2: Benign Flows Benign JSEs may contain flow violations – PwdHash [Usenix Security ‘05] ******* PwdHash SHA1(pwd||domain) ******* *********** SHA1(pwd||url_one) SHA1(pwd||url_two)

23 Challenge 2: Benign Flows Disallowing them could render JSE dysfunctional Problem : How to identify such flows? – Difficult to isolate malicious / benign behavior at runtime Solution : Security analyst supplies a security policy to white-list trusted JSEs or declassify specific objects De-classification of password field in PwdHash

24 Challenge 3: Provenance Origin of the script – Needs to be determined only once at the time of dispatching the script for execution JSEs contain overlays – Describe patches for the UI and contain JavaScript code – Event - driven and not explicitly dispatched for execution Problem : Track provenance for “all” JavaScript including code in JSE overlay files Solution : Per bytecode provenance tracking, or separately verify the overlay files

25 Problem : handling direct control dependencies? Solution : Labeled Scope Label(lhs) = Label(rhs) U Label(scope) Challenge 4: Implicit Flows

26 Problem : How to deal with all implicit flows? Solution : Static analysis – Future work to enhance Sabre with support for static analysis

27 Outline Introduction Motivating Example Solution Evaluation Conclusion

28 Evaluation: Goals Effectiveness – Classify behavior of benign JSEs – Determine information flow violations in malicious JSEs Performance – Impact on JavaScript performance – Compare overhead due to per-bytecode provenance check for overlay code

29 Evaluation: Methodology Evaluated Sabre using a suite of 24 JSEs – Comprising over 120K lines of JavaScript code Enhance the browser with the JSE being tested and examine any flow violations Test Setup – Integrated Sabre with Firefox – 2.33Ghz Intel Core2 Duo, 3GB RAM, Ubuntu 7.10

30 Results: Categorizing Benign JSEs 1.HTML Forms 2.Network Messages 3.File System 4.Load URLs 5.JavaScript Events White-listing / De-classification of trusted JSEs is essential

31 1: HTML forms

32 2: Network Messages Transfer data over network – HTTP channels – XMLHttpRequest USE – Get security updates, weather reports MISUSE – Send user’s confidential data, browsing patterns

33 3: File system accesses File System – Read / write files to persistent data store USE – Save JSE data in user preferences, manage files MISUSE – Save malicious files, steal sensitive data like cookies

34 4: Loading URLs Load URLs – monitor user activity (keystrokes, hyperlinks clicked) – load URL based upon this activity USE – Useful functionality for many JSEs, e.g. PDF Download MISUSE – initiate a drive-by-download attack by loading an untrusted URL

35 5: JavaScript events JavaScript Events – JavaScript code on a web page can communicate with JSEs via events USE – JSEs can listen for specific events from scripts on web pages MISUSE – JSE can send sensitive data to script on webpage

36 Results: Accuracy Vulnerable & Malicious JSEs – GreaseMonkey v0.3.3 – Firebug v1.01 – FFsniFF – BrowserSPY Result – Precisely identified all flow violations – No false positives during normal web browsing

37 Results: Performance Overheads

38 Outline Introduction Motivating Example Solution Evaluation Future work and Conclusion

39 Future work: Sabre enhancements Static analysis of JavaScript. Can benefit: – Precision of analysis: Will help discover implicit information flows – Speed of analysis: Use summaries that capture information flow properties of frequently- executed code fragments Diagnosis of information flow alerts to automate the placement of declassifiers

40 Future work: Containing third-party JavaScript using Information Flow Current Work Mashups

41 41 Conclusion Exploited JSEs can cause loss of sensitive information Policy-based access control is coarse grained and overly restrictive Sabre uses information flow tracking across browser sub-systems to prevent security violations in untrusted JSE code

42 Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Published in Proceedings of the 25 th Annual Computer Security Applications Conference, December 2009 Thank you

Download ppt "Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University."

Similar presentations

Ads by Google