The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

Similar documents
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

Protecting Users by Confining JavaScript with COWL

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Modern client-side defenses. Deian Stefan

Chrome Extension Security Architecture

The security of Mozilla Firefox s Extensions. Kristjan Krips

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

A Haskell and Information Flow Control Approach to Safe Execution of Untrusted Web Applications

An Evaluation of the Google Chrome Extension Security Architecture


Extending the Web Security Model with Information Flow Control

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Extending the browser to secure applications

October 08: Introduction to Web Security

1 Post-Installation Configuration Tasks

Web basics: HTTP cookies

Software security in the Internet of things

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Asbestos Operating System

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Content Security Policy

IronWASP (Iron Web application Advanced Security testing Platform)

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

Access Control for Plugins in Cordova-based Hybrid Applications

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web basics: HTTP cookies

Browser code isolation

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

COMP9321 Web Application Engineering

Browser Support Internet Explorer

XHound: Quantifying the Fingerprintability of Browser Extensions. Priyankit Bangia Software Engineering. By Oleksii Starov & Nick Nikiforakis

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Solutions Business Manager Web Application Security Assessment

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

HTML CS 4640 Programming Languages for Web Applications

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

HTTP Security Headers Explained

FCSLA PRODUCER GATEWAY

Lesson 4: Web Browsing

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Ex-Ray: Detection of History-Leaking Browser Extensions

Secure Frame Communication in Browsers Review

Information Security CS 526 Topic 8

Flexible Dynamic Information Flow Control in Haskell

MANTRA REGISTERED DEVICE SERVICE ANDROID MANTRA SOFTECH INDIA PVT LTD

Information Security CS 526 Topic 11

Validation of Web Alteration Detection using Link Change State in Web Page

Inline Reference Monitoring Techniques

Privacy-ABC Technologies on Mobile Phones

COMP9321 Web Application Engineering

DreamFactory Security Guide

WorldShare License Manager Release Notes. Administrative Actions... 2 Follow-up Actions... 2 New Features... 4

How Facebook knows exactly what turns you on

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Liferay Security Features Overview. How Liferay Approaches Security

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Chrome and IE comparisons

Assignment: Seminole Movie Connection

Confinement (Running Untrusted Programs)

Firefox for Nokia N900 Reviewer s Guide

Match the attack to its description:

Client-side Debugging. Gary Bettencourt

BOOSTING THE SECURITY

Installation & Configuration Guide Enterprise/Unlimited Edition

ASP.NET MVC Training

Wedge: Splitting Applications into Reduced-Privilege Compartments

Browser Guide for PeopleSoft

Privilege Separation in Browser Extensions Based on Web Workers

Integration Test Plan

Client Side Injection on Web Applications

Security and the Average Programmer

Fortify Software Security Content 2017 Update 4 December 15, 2017

SentinelOne Technical Brief

Chrome Conceptual Architecture Report

WEB SECURITY: XSS & CSRF

Integrity attacks (from data to code): Cross-site Scripting - XSS

P2_L12 Web Security Page 1

MarkLogic Server. Security Guide. MarkLogic 9 May, Copyright 2017 MarkLogic Corporation. All rights reserved.

Issues of Operating Systems Security

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

Navigate by Using Windows Explorer

Oracle Application Express 5 New Features

Maxoid: Transparently Confining Mobile Applications with Custom Views of State

CSCE 548 Building Secure Software SQL Injection Attack

C1: Define Security Requirements

Logging in from Home. Follow these steps:

RKN 2015 Application Layer Short Summary

McAfee MVISION Mobile Threat Detection Android App Product Guide

Privilege Escalation

Website Report for colourways.com.au

Micro Focus Desktop Containers

SEO Authority Score: 40.0%

20486: Developing ASP.NET MVC 4 Web Applications

Transcription:

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

Modern web experience

Modern web experience

Modern web experience Web apps Extensions NYTimes Chase AdBlock Evernote Core browser

Web app security Trust model: malicious code NYTimes Chase Web APIs Core browser Apps are isolated according to same-origin policy Apps are constrained to Web APIs (e.g., DOM) They cannot access arbitrary files, devices, etc.

Extension security? NYTimes AdBlock Core browser Privileged APIs Extensions need direct access to app DOMs They modify app style, content, behavior, Extensions need privileged APIs To fetch/store cross-origin content, to read/modify history and bookmarks, to create new tabs, etc.

Chrome extension security model Trust model: extensions are benign-but-buggy NYTimes AdBlock Privilege separate extension: core and content Protects vulnerable extension from malicious apps Run extensions with least privilege Limits damage due to exploits

Least privilege via permission system Extensions declare necessary permissions { "name": AdBlock Plus", "version": "2.1.10",... "permissions": [ "http://*/*", "https://*/*", "contextmenus" ],... Users must grant permissions at install time

What does mean? Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com AdBlock must be a special case, right? 71.6% of top 500 extensions need this privilege!

What does mean? Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com AdBlock must be a special case, right? 71.6% of top 500 extensions need this privilege!

It gets worse with popularity 1.2 10000000 Fraction that can read and change 1 0.8 0.6 0.4 0.2 0 1 51 101 151 201 251 301 351 401 451 1000000 100000 10000 1000 100 10 Number of users (few days later) Top n extensions

It gets worse with popularity 1.2 10000000 Fraction that can read and change 1 0.8 0.6 0.4 0.2 0 % of n that can read and change all your data 1 51 101 151 201 251 301 351 401 451 1000000 100000 10000 1000 100 10 Number of users (few days later) Top n extensions

It gets worse with popularity 1.2 10000000 Fraction that can read and change 1 0.8 0.6 0.4 0.2 0 # of users % of n that can read and change all your data 1 51 101 151 201 251 301 351 401 451 1000000 100000 10000 1000 100 10 Number of users (few days later) Top n extensions

It gets worse with popularity 1.2 Removed from Chrome Web Store 10000000 Fraction that can read and change 1 0.8 0.6 0.4 0.2 0 # of users % of n that can read and change all your data 1 51 101 151 201 251 301 351 401 451 1000000 100000 10000 1000 100 10 Number of users (few days later) Top n extensions

Problem with Chrome s model Permission requests are meaningless Descriptions are broad and context-independent Model encourages principle of most privilege Extensions don t auto-update if they need more privs Threat model is not realistic Chrome Web Store listed many malicious extensions Roughly 5% of Google users run malicious extensions

Problem with Chrome s model Permission requests are meaningless Descriptions are broad and context-independent Model encourages principle of most privilege Extensions don t auto-update if they need more privs Threat model is not realistic Chrome Web Store listed many malicious extensions Roughly 5% of Google users run malicious extensions

Problem with Chrome s model Permission requests are meaningless Descriptions are broad and context-independent Model encourages principle of most privilege Extensions don t auto-update if they need more privs Threat model is not realistic Chrome Web Store listed many malicious extensions Roughly 5% of Google users run malicious extensions

New extension-system goals Meaningful permission system Safe behavior should not require permission Permissions requests should be content-specific Model should encourage least privilege Permissions should be fine-grained Incentivize safe extensions Threat model: extensions may be malicious Need to also protect user app data from extensions

New extension-system goals Meaningful permission system Safe behavior should not require permission Permissions requests should be content-specific Model should encourage least privilege Permissions should be fine-grained Incentivize safe extensions Threat model: extensions may be malicious Need to also protect user app data from extensions

New extension-system goals Meaningful permission system Safe behavior should not require permission Permissions requests should be content-specific Model should encourage least privilege Permissions should be fine-grained Incentivize safe extensions Threat model: extensions may be malicious Need to also protect user app data from extensions

How can we do this? Insight: it is safe for extension to read user data if it can t arbitrarily disseminate it E.g., Google Mail Checker Checker gmail.com Taint extensions according to what it reads Confine code to protect user s privacy

How can we do this? Insight: it is safe for extension to read user data if it can t arbitrarily disseminate it E.g., Google Mail Checker privacy Checker gmail.com Taint extensions according to what it reads Confine code to protect user s

How can we do this? Insight: it is safe for extension to read user data if it can t arbitrarily disseminate it E.g., Google Mail Checker privacy Checker gmail.com Taint extensions according to what it reads Confine code to protect user s

How can we do this? Insight: it is safe for extension to read user data if it can t arbitrarily disseminate it E.g., Google Mail Checker privacy Checker gmail.com Taint extensions according to what it reads Confine code to protect user s

How can we do this? Insight: it is safe for extension to read user data if it can t arbitrarily disseminate it E.g., Google Mail Checker privacy Checker gmail.com Taint extensions according to what it reads Confine code to protect user s

How can we do this? Insight: it is safe for extension to read user data if it can t arbitrarily disseminate it evil.gov E.g., Google Mail Checker privacy Checker gmail.com Taint extensions according to what it reads Confine code to protect user s

Safely read and modify pages?

Safely read and modify pages?

Safely read and modify pages? Idea: tie extension script with app page Impose at least same-origin policy on extension NYTimes AdBlock chase.com Challenge: read data from page and leak it by injecting content into page s DOM Solution: taint extension, write to isolated DOM Loads due to extension restricted: confined!

Safely read and modify pages? Idea: tie extension script with app page Impose at least same-origin policy on extension NYTimes AdBlock chase.com Challenge: read data from page and leak it by injecting content into page s DOM Solution: taint extension, write to isolated DOM Loads due to extension restricted: confined!

Confinement: safe, too restricting Challenge: extensions need to leak data E.g., Evernote is used to save URL, page, etc. Reading DOM taints extension: NYTimes Evernote evernote.com Solution: declassification via sharing menu API NYTimes

Confinement: safe, too restricting Challenge: extensions need to leak data E.g., Evernote is used to save URL, page, etc. Reading DOM taints extension: NYTimes Evernote evernote.com Solution: declassification via sharing menu API NYTimes

Confinement: safe, too restricting Challenge: extensions need to leak data E.g., Evernote is used to save URL, page, etc. Reading DOM taints extension: NYTimes Evernote evernote.com Solution: declassification via sharing menu API NYTimes

Confinement: safe, too restricting Challenge: extensions need to leak data E.g., Evernote is used to save URL, page, etc. Reading DOM taints extension: NYTimes Evernote evernote.com Solution: declassification via sharing menu API NYTimes

Confinement: safe, too restricting Challenge: extensions need to leak data E.g., Evernote is used to save URL, page, etc. Reading DOM taints extension: NYTimes Evernote evernote.com Solution: declassification via sharing menu API NYTimes Evernote

Confinement: safe, too restricting Challenge: extensions need to leak data E.g., Evernote is used to save URL, page, etc. Reading DOM taints extension: NYTimes Evernote evernote.com Solution: declassification via sharing menu API NYTimes Evernote evernote.com

Usable confinement via APIs Crypto API Convert tainted values to encrypted blobs (LastPass) Declarative CSS API Taint-oblivious styling changes Network filtering API Allow/deny network requests given regex (AdBlock)

How can permissions be more meaningful? Many extensions can be safe by default Confinement protects user privacy Incentivize developers by making warnings rare To capture remaining models: need permissions Use declassification as guide for informing messages: what data is being leaked? - E.g., URLS, page location, whole page, etc.

How can permissions be more meaningful? Many extensions can be safe by default Confinement protects user privacy Incentivize developers by making warnings rare To capture remaining models: need permissions Use declassification as guide for informing messages: what data is being leaked? - E.g., URLS, page location, whole page, etc.

Summary Extensions: most dangerous code in the browser Third-party, unaudited, highly-privileged JavaScript Rethink extension security systems Need to protect user privacy from extensions Make user permissions requests rare and clear One direction: confinement + new APIs Captures many extensions as safe, makes permission requests rare

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback