Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth,

Published byShavonne Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth,"— Presentation transcript:

1 Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth, afelt, prateeks}@eecs.berkeley.edu Aaron Boodman Google, Inc. aa@google.com Presented by: Edmund Warner March 29, 2011 University of Central Florida

2 Acknowledgements Figures and tables are taken directly from the paper. mozilla.org for specific information on Firefox used for this presentation

3 Let's talk about Firefox Nearly one third of Firefox users run extensions That's about 90 million users running extensions Skype Toolbar Twitterfox Weatherbug Extensions change the browsing experience Makes changes to the user interface Interacts arbitrarily with many websites This creates a large attack surface!

4 Let's talk about Firefox When extensions are loaded in Firefox, many are done so with the browser's full priveleges If an attacker were to compromise the extension, he could usurp control of it's broad priveleges and use them to install malware on the user's machine Most extension developers are not security experts

5 The Study 25 extensions were chosen from the most popular of the 13 categories in Firefox: Adblock Plus 1.0.2, Answers 2.2.48, AutoPager 0.5.0.1, Auto Shutdown (InBasic) 3.1.1B, Babel Fish 1.84, CoolPreviews 2.7.4, Delicious Bookmarks 4.3, docked JSConsole0.1.1, DownloadHelper 4.3, Download Statusbar 2.1.018, File and Folder Shortcuts 1.3, Firefox Showcase 0.3.2009040901, Fission 1.3, Glue 4.2.18, GoogleEnhancer 1.70, Image Tweak 0.18.1, Lazarus: Form Recovery 1.0.5, Mouseless Browsing 0.5.2.1, Multiple Tab Handler 0.9.5, Quick Locale Switcher 1.6.9, Shareaholic 1.7, Status-bar Scientific Calculator 4.5, TwitterFox 1.7.7.1, WeatherBug2.0.0.4, and Zemanta 0.5.4. Only 3 of these require the brrowser's full priveleges The rest are over-priveleged

6 How can Extensions be Compromised? The paper gives 4 methods of exploiting Firefox extensions: Cross-Site Scripting Using eval or document.write without sanitizing the input can cause a script to be able to be injected into the extension Replacing Native APIs Attacker can trick the extension and replace the DOM APIs with its own Behaves just like the original, but can trick it into performing a misdeed JavaScript Capability Leaks If it leaks an object to a malicious web page, the attacker can gain access to other objects Mixed Content Can hijack and replace HTTP scripts in orrder to install malware

7 Plan of Attack First, give developers a template to follow Lessen the attack space to aim for Second, use the new build to limit the priveleges given to these extensions If the extension does get compromised, the attack has no more priveleges than the extension used before

8 Extension Design Template Three parts: Content Script – interacts closely with potentially malicious input, but can only send messages to the extension core Extension Core – contains most web priveleges, but on interacts with web content through the Scripts. Also, it doesn't have host access Native Binary – contains host priveleges, but only interacts through the extension core

9 Limiting Priveleges The table below represents the 25 extensions surveyed. To explain the zones: Critical: Can run arbitrary code on the user’s system (e.g., arbitrary file access) High: Can access site-specific confidential information (e.g., cookies and password) or the Document Object Model (DOM) of all web pages Medium: Can access private user data (e.g., recent history) or the DOM of specific web pages Low: Can annoy the user None: No security privileges (e.g., a string) or privileges limited to the extension itself

10 Limiting Priveleges Only 3 extensions showed critical-level behavior, which are all download managers. None of these, however, require arbitrary file access. The above demonstrates just how much privelege can be abused.

11 Limiting Priveleges In order to combat this potential abuse, limitations are built into the extension manifest For instance, a Gmail checker extension needs access to google.com subdomains and the tabs API Instead of allowing it to make the requests at run-time with full priveleges, build it into the manifest “permissions”: “tabs” “http:// *.google.com/” “https:// *.google.com/” Now it can only access what we allow it to access.

12 Isolation The system also uses three components to isolate its parts from web content, and from each other We run the extension core in a unique origin designated by a public key We run the extensions core and native binaries in their own processes Content scripts run in a separate content heap than untrusted web content

13 Public Keys We assign an “origin” via public key to the extension's URL. For example: chrome-extension://askhjsbasydblsdlfhfb/ This reduces the attack surface and simplifies extension signing Also, it makes updating extensions easier Same priveleges, same key – simple replacement However, the process starts from scratch if the internal components are asking for more priveleges

14 Process Isolation Each component runs in a different process Extension Core and Native Binaries are in different processes Content Scripts run in the same process associated with the web page Protection is two-fold Protects the core from browser errors because JavaScript objects cannot leak between processes Protects against low-level exploits like buffer overflows

15 Isolated Worlds Each content script runs the DOM with its “own” JavaScript objects Therefore, content scripts and web pages never exchange pointers Now, if a DOM method is called, both objects will be updated, but if a website called a non-standard method, it does not carry.

16 Performance Separating extensions could add overhead when you need to access multiple components Sending a signal from content script to the extension core and back observed a round-trip latency of 0.8 ms on average With the isolated worlds mechanism, they observed a round-trip latency of 309 ms as opposed to 239 ms without

17 Weaknesses Firefox has 5,594 extensions 25 only samples 0.45% of the population Popular doesn't always mean best developed No definitive talk on how secure their solution is Might be a misnomer because the solution presented mainly just reduces the consequences for exploits An attacker can still build the priveleges into his own extension or compromise and “update” an existing one – Add under “permissions”: “http://www.attacker.com/” “downloads”

18 Contributions Google Chrome Add-on for Firefox: Chromifox Google Chrome Browser Extension design now has a template to follow

19 Improvements Give a “format” to the Public Key if the extension updates require more priveleges. Test it further. Compare security between formatted and unformatted extensions

Download ppt "Protecting Browsers from Extension Vulnerabilities (NDSS 2010) Adam Barth, Adrienne Porter Felt, Prateek Saxena University of California, Berkeley {abarth,"

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.

Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
ICE Interposing on Chrome Extensions Ryan Lopopolo Edgar Salazar William Ung 6.858 Final Project.

ICE Interposing on Chrome Extensions Ryan Lopopolo Edgar Salazar William Ung Final Project.
Hulk: Eliciting Malicious Behavior in Browser Extensions

Hulk: Eliciting Malicious Behavior in Browser Extensions
張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of.

張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Hack Firefox to steal web-secrets Sunil Arora. How many of you use Firefox ?

Hack Firefox to steal web-secrets Sunil Arora. How many of you use Firefox ?
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Similar presentations

Ads by Google