Rezwana Karim Computer Science R utgers University Committee Prof Vinod Ganapathy Chair Prof Ulrich Kremer Prof Santosh Nagarkatte Prof Long LuStony Brook University ID: 920095
Download Presentation The PPT/PDF document "Techniques and Tools for Secure Web Brow..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Techniques and Tools for Secure Web Browser Extension Development
Rezwana KarimComputer Science, Rutgers University
Committee: Prof. Vinod Ganapathy(Chair), Prof. Ulrich Kremer, Prof. Santosh Nagarkatte, Prof. Long Lu(Stony Brook University)
8/14/15
PhD Defense Talk
Slide2Platforms with extensibility
2
Rezwana Karim
Slide3Web browser extension
Rezwana Karim
3
Slide4Extensions are everywhere
Google ToolbarSearch by Image
Video DownloadHelper
Invisible Hand
Honey
Weather Watcher
Gmail Manager
Greasemoneky
Click and Clean
Firebug
Unfriend Notify for Facebook
Social fixer
Adblock
HTTPS everywhere
LastPass
Evernote
Web Clipper
Strict Workflow
Instapaper
Pocket
ESPNCricinfo
Pic2Pixlr
Rezwana Karim
4
Slide5Extensions are everywhere
Google ToolbarSearch by Image
Video DownloadHelper
Invisible Hand
Honey
Weather Watcher
Gmail Manager
Greasemoneky
Click and Clean
Firebug
Unfriend Notify for Facebook
Social fixer
Adblock
HTTPS everywhere
LastPass
Evernote
Web Clipper
Strict Workflow
Instapaper
Pocket
ESPNCricinfo
Pic2Pixlr
Rezwana Karim
5
Sensitive
resources
Network
OS
File system
Cookies
Password
History
Preference
Camera
Different from Web applications
Slide6Extension ecosystem
6
Rezwana Karim
Feature-rich platform
Privileged API
Increased download
Slide7Popularity of browser extensions
Firefox extensions in usehttps://addons.mozilla.org/en-US/statistics/
7
Rezwana Karim
> 53, 000 (February, 2013)
>10 million users for
Adblock
plus
> 14, 000 (July, 2015)
>
19 million users for
Adblock
plus
Slide8Slide9V
ulnerable extensions jeopardize platform security
9
www.evil.com
Insecure Programming Practice
Exploitable vulnerability
[Barth
et al.
, NDSS
‘
10
] [
bhandhakavi
et al.
,
Usenix
Security
‘
10
]
Rezwana Karim
Slide10Safeguard platform from vulnerable third party extensions
Rezwana Karim
10
Slide11Legacy extension architecture
11Web page
Extension Code(Web Script + Extension Script)
Interact with
Web pages
Access sensitive
resource
Extension Script:
JavaScript code executing within the
secure world
Web Script:
JavaScript code
executing on
the
insecure web page world
Rezwana Karim
Sensitive
resources
File system
Network
Cookies
History
Password
Preference
Camera
OS
Slide12Modern extension: Layered defense architecture
12
Web page
Extension Code
(Web Script + Extension Script)
Interact with
Web pages
Access sensitive
resource
Rezwana Karim
Sensitive resources
Manifest
Web
Script
Extension
Script
Insecure World
S
ecure World
Principle of Least Authority (POLA)
Isolation
Privilege
Separation
Slide13Defense-in-depth strategy
13
Developer’s expertise
effect extension
security
File
Network
Main
Rezwana Karim
[Karim
et al.
, ECOOP
‘
12]
Slide14Research questions
How can we simplify secure extension development?How to detect security principle violations in browser extensions?How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles?14
Analyzing the interactions with sensitive resources in extension code
Slide15Extension Security: Solution spectrum
Rezwana Karim
15
1)
SABRE
[ACSAC ‘09],
Secure extensibility
[
Usenix
Sec ‘10]
Key Idea:
Taint tracking
2)
Sentinel
[DIMVA‘13]
,
IBEX
[S&P ‘11]
Key Idea:
Runtime policy enforcement
1)
VEX
[
Usenix
Sec ‘09]
Key Idea:
Static
t
aint analysis
2
) Security Signature
[CGO
’
14]
Key Idea:
Information flow and API usage
1) Beacon
[ECOOP‘12]
2) Morpheus
[ECOOP ‘14]
Morpheus
[ECOOP ‘14]
Slide16Module Interaction
16var file = require(“file”);
file.readFile (“zipCodeFile”);. . .Main
v
ar fileSystemPtr
=
accessToFileSystem
();
exports.readFile
= function
readFile
(
fileName
){ //read the content of fileName
. . . // return the content
. . .
};
File
Rezwana Karim
Capability:
Privilege
to access sensitive
resources
Slide17Research questions
How can we simplify secure extension development?How to detect security principle violations in browser extensions?How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles?
17
Rezwana Karim
Slide18Key Idea: Detect capability leaks
18
FileNetworkMain
Rezwana Karim
Capability leaks through module interface leads to vulnerability
Slide19Capability flow analysis
Static analysis of JavaScript(JS) modulesPoints-to analysisInformation flow Taint: capabilitySource : privileged resource accessSink: ‘exports’ interface Call graph basedContext and flow insensitive
19
Rezwana Karim
Slide20Capability flow in
object hierarchy20
ax
y
p
z
Rezwana Karim
var
a = {
x : object,
y : {
p :
fileSystemPtr
,
z : object
}
}
Slide21Capability flow
using Datalog21
axy
p
z
ptsTo(v
a
, h
a
)
ptsTo(v
y
, h
y
)
ptsTo(v
z
, h
z
)
ptsTo(v
p
, h
p
)
ptsTo(v
x
, h
x
)
heapPtsTo(h
y
, z, h
z
)
heapPtsTo(h
a
, y, h
y
)
heapPtsTo(h
y
, p, h
p
)
var
a ={
x : object,
y:{
p:
fileSystemPtr
,
z: object
}
}
isTainted(h
p
, file)
isTainted(h
y
, file)
isTainted(h
a
, file)
store(v
y
, p, v
p
)
heapPtsTo(h
a
, x, h
x
)
Rezwana Karim
[
Gatekeeper
,
Guarnieri
et al.
,
Usenix
Security
’
09]
Slide22Beacon: Capability flow analysis tool
22Call graph generator
SSA analyzerInference engine
SSA
format
Imported module
summaries
Rules for JS to Datalog translation
Taint
inference rules
Initial facts
Points-to
rules
Heap allocation
Capability
analysis
report
Rezwana Karim
2.8k lines of Java,
Datalog
Tools Used : WALA, DES
Slide23Evaluation
Jetpack: Mozilla’s new browser extension frameworkOver 600 Jetpack modulesModules from 359 Jetpack extensions68k lines of JavaScript code
23
Rezwana Karim
Slide24Capability leak
36 leaks in over 600 modules12 in vendor code24
ModulesCapabilityLeak Mechanism
Essential
tabs/utils
Active tab, browser window and tab container
Function return
yes
window-
utils
Browser window
Function return
yes
xhr
Reference to the
XMLHttpRequest
object
Property of this object
no
xpcom
Entire XPCOM utility module
Exported property
no
E
ffect all extensions developed on top
of it
Rezwana Karim
Slide25Capability leaks: developer code
2524 leaks in 359 extensions
ExtensionCapabilityCount
Bookmarks
Deiconizer
Sensitive
resource service module
1
Browser Sign In
Window, document
2
Customizable Shortcut
Preference, DOM, window
3
Firefox Share
Preference,
window, database, observer
database, stream, network
10
Most Recent Tab
Preference, window
2
Open Web
Apps
Preference, window, database, observer
4
Recall Monkey
IOService
,
favIcon
2
Not required for functionality
Rezwana Karim
Slide26Accuracy: Capability leak
No False PositiveMay miss some leaksDynamic featuresIterator, generatorUnsupported JS constructsfor..
each, yield, case statement over a variableUnmodeled JS constructseval, with Latent bugs
26
Rezwana Karim
Slide27Violation of privilege
separation27Rezwana Karim
26 modules in 19 extensions
Slide28Violation of POLA
Beacon generates 18 warnings, 7 false positive28
Vendor modulePrivilegeSeverity
file
Directory service
Moderate
hidden-frame
Timer
None
tab-browser
Errors
None
content/content-proxy
Chrome
Critical
content/loader
File
Moderate
content/worker
Chrome
Critical
keyboard/
utils
Chrome
Critical
clipboard
Errors
None
widget
Chrome
Critical
windows
XPCOM,
apiUtils
Critical
Rezwana Karim
Mozilla acknowledged and removed these violations
https://github.com/mozilla/addon-sdk/pull/
291
Slide29Research questions
How can we simplify secure extension development?How to detect security principle violations in browser extensions?How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles?29
Rezwana Karim
Slide30Legacy to modern
transformationLegacy
Modern
Time consuming, labor-intensive
Deep and clear understanding of differences between two programming models
~10000 popular
l
egacy extensions
Morpheus
Design Challenges
Privilege
Separation
POLA
Preserve
UI
30
Rezwana Karim
Slide31Challenge 1: Privilege Separation
Secure/Insecure partitionPartition monolithic code into isolated JavaScript modules
Increase the minimum number of modules to be compromised
31
Rezwana Karim
Slide32Secure/Insecure world partition
32
Legacy
Modern
Static dataflow analysis to identify object’s context
Rewrite property access with
accessor
Opaque identifiers for shared objects
E
mulating
synchronous communication over asynchronous channel
.
getProperty
(‘
contentDocument
’)
gBrowser
contentDocument
Secure
Insecure
Asynchronous communication
gBrowser.contentDocument
Rezwana Karim
Slide33Partition into multiple modules
33File
NetworkWeather
Main
Rezwana Karim
(Legacy)
DisplayWeather
Sensitive
resources
Slide34Challenge 2: Conformance to POLA
Only required modules are importedNo capability leak across module interfaceEncapsulate privileged objectExposes only
accessor methods; returns Primitive values An instance of a moduleGenerate Manifest34
Rezwana Karim
Slide35Transforming l
egacy code35
Node n in ASTExpression ξRewrite with ‘require’ o := object(
ξ)
o is sensitive OR
o
is in
content
Rewrite with ‘
getProperty
’/ ’
setProperty
’
o := object(ξ) o is sensitive OR
o is in content
Rewrite with ‘invoke
’
Rewrite with ‘
require’
Extract User module
Rewrite with ‘
GlobalGET
’ / ‘
GlobalSET
’
Sensitive resource invoke
Property access
Method invoke
Object Literal
Global access
Rezwana Karim
Slide36C
ore module usage36
file module
var
file =
fileSystemsPtr
;
v
ar
_module_
=
{
invoke: function(
methodName
,
args
){
. . .
//switch case },
. . .}
e
xports.module
= _module_;
main.js
var
data =
fileSystemPtr.read
(
‘
zip.txt
’);
require(‘file’).module.
invoke(‘read’, ‘
zip.txt
’);
Identify sensitive resource usage
Replace with core module
Rezwana Karim
Slide37Extracting
user moduleIdentifies and groups related functionality into a single module
37main.jsfunction readZipCodeFromFile(location){...}var
Weather = { ...
getWeatherData:function(zipcode
){
...
return
Weather.requestDataFromServe
(
zipcode
)
; },
requestDataFromServer: function(
zipcode
){...},
}
f
unction
showWeather
(){
...
var
temperature =
Weather.getWeatherData
(
zipcode
);
...
}
var
Weather = require(‘user/Weather’).module;
GlobalSET
(’Weather’, Weather);
Weather.invoke
(
‘
getWeatherData
’,
zipcode
);
Rezwana Karim
Slide38Extracted Weather module
38
Weather module
var
_module_
= {
...
getWeatherData
: function(
zipcode
)
{
return GlobalGET(’Weather’).invoke (
’
requestDataFromServer
’,
zipcode
);
},
requestDataFromServer
: function(
sendData
)
{ ...
}
}
exports.module
=
_module_;
Rezwana Karim
Slide39Preserve UI
Analyzes legacy extension’s XUL overlay file, resource URI, CSS, iconsGenerates JS code to dynamically modify the browser’s UI39
Rezwana Karim
<
statusbar
id=‘
sb
’
onclick
=
‘
alert(
“
Hi
”
)
’
>
...
</
statusbar
>
var
sb
= document.
getElemenById
(‘
sb
’
);
sb
[“
onclick
”
]=function(){
alert
(‘Hi’);
}
L
egacy XUL code
Generated JS code
Slide40Policy checker
40CHECKModule: m
Property: p ArgList: αα[‘file-path’] allowed?
α[‘
url’] allowed?
violating source(m’, p’, α’) already accessed?
m = ‘file’
p
= ‘read’
m = ‘network’
p
= ‘open’
(m, p,
α
) is sink
.
. .
.
. .
Yes
Yes
Yes
No
No
No
Rezwana Karim
Slide41Module level privilege computation
Let, P(m) : the set of privileges that can be accessed by a module m m → x : module m has direct access to sensitive resource x
mi → mj : module mi imports module mj
mu
: user module in an extension,
m
c
: core module in
an extension
Core module User module
41
P(m) :=
{ P(x) | m → x }
U
P(m) :=
{ P(m
c
) | m→m
c
}
{ P(m
c
) |
m→m
c
}
Rezwana Karim
Module privilege is fixed at runtime
Slide42Security analysis of transformed DisplayWeather
extension42File
NetworkWeather
Main
Policy Checker
network
file
network
file
Login Manager
password
password.txt
Rezwana Karim
Limit vulnerability effect
only
to compromised module
I
ncreases the minimum number of modules to be comprised
Slide43Morpheus: Implementation
43
2.9
k
lines
of
JavaScript
10.5k
lines implementing
100
core
modules
Rezwana Karim
Slide44Evaluation
DatasetExtensions developed using JavaScript, HTML, XUL, CSS52 Legacy extensions: 50 real-world, 2 syntheticCorrectness of
transformationManually exercised advertised functionality All transformed (Jetpack) extensions retains advertised functionality
44
Rezwana Karim
Slide45Evaluation: Conformation
to POLACapability leaks lead to POLA violation
Used Beacon
to verify that
no module leak reference to privileged objects
45
[Karim
et al.
, ECOOP
‘
12]
Rezwana Karim
File
Network
Main
Slide46Evaluation: Effectiveness of user module extraction
46
Privilege separation in user modules
Rezwana Karim
#
C
ore modules
Slide47Modules
accessing multiple categories of core modules47Rezwana Karim
CategoriesI : ApplicationII: BrowserIII: DOMIV: I/OV: SecurityVI: Misc.
Slide48Runtime policy checking
PolicyGeneric# extensions
Contact only specified remote server No3Access only files in profile directory as advertisedNo
1
Cannot access preference branch other than its own
Yes
2
Cannot contact server if the extension has already accessed file system
Yes
1
Cannot contact server if the extension has already accessed
LoginManager
Yes
1
Cannot contact server if the extension has access browsing history
Yes
1
Cannot contact server if the extension has access browser cache
Yes
2
48
Rezwana Karim
Slide49Limitations
Plethora of privileged APIsExtensions with binary component Performance slowdown due to repeated context switchesMight require Developer assistance Encoding extension-specific policy
Rewriting special cases like comparison against HTMLDocument49
Rezwana Karim
Slide50Summary
Extension security depends on developer expertise and meticulous effortHow to detect security principle violations in Web browser extensions?Beacon[ECOOP
’12]: a system for capability flow analysisHow to transform a vulnerable extension into a secure extension that adheres to these principles?Morpheus[ECOOP ’14
]: automate transformation toolchain
50
Results acknowledged by
Mozilla
https
://github.com/mozilla/addon-sdk/pull/
291
Rezwana Karim
Slide51Web technology in app development
51
Rezwana Karim
50% apps by 2016
-
Gartner
42%
app developers already using
Most popular technology in emerging
markets
–
Vision Mobile, Q3,2014
My research
52
Rezwana Karim
Simplify app development
Security
Cross-platform app UI
Beacon
[ECOOP’12]
Morpheus
[ECOOP’14]
WebC
[FSE’13]
DECOR
[FSE’15]
Slide53Other contributions
Simplifying Programming for the Web [ISEC 2015] Best Paper AwardFast, Memory-efficient Regular Expression Matching with NFA-OBDDs [Computer Network Journal]
Improving NFA-based Signature Matching using Ordered Binary Decision Diagrams [RAID2010]53
Rezwana Karim
Slide54Future direction
54
Rezwana Karim
Simplify app development
Security
Cross-platform app UI
Context-sensitive UI
in
IoT
App security in
IoT
Porting app across platforms
Slide55Acknowledgements
Dissertation advisorVinod GanapathyPhD Committee membersUlrich Kremer, Santosh
Nagarkatte, Liviu Iftode, Long LuCo-authorsNishant Sinha (IBM Research)
Chung-chieh Shan (Indiana University
)Mohan Dhawan
(IBM Research
)
Liu Yang (HP)
Randy Smith (Sandia National Lab)
Discolab
members
Steve
smaldone
, Pravin Shankar, Lu Han, Shakeel
Butt, Amruta Gokhale
,
Nader
Boushehrinejadmoradi
,
Daeyoung
Kim,
Hai
Nguyen,
Daehan
Kawk
,
Ruilin
Liu and several other past and present members
Friends and Family
Rezwana Karim
55
Slide56Thank you
rkarim@cs.rutgers.eduhttp://paul.rutgers.edu/~rkarim56
Slide57Backup slides (Beacon)
57
Slide58Proof of concept example: Customize-shortcut
const {Cc, Ci} = require("chrome");let Preferences = {
branches: {}, .. . getBranch: function (name) { let
branch = Cc["@
mozilla.org/preferences-service;1"] .
getService
(
Ci.nsIPrefService
).
getBranch
(name)
;
…
return this. branches [name] = branch; }
, ... };
exports. Preferences
= Preferences
;
58
Slide59Datalog relations: capability flow analysis
Points-to analysis
RelationDescription
Heap Mapping
ptsTo
(V, H)
Variable
points-to relation
heapPtsTo
(H1, F, H2)
Heap objects points-to
relation
Object Manipulation
assign(V1, V2)
Variable assignment
store(V1, F, V2)
Field store
load(V1, V2, F)
Field Load
59
Taint Inference
Relation
Description
Capability
flow
isTainted
(H, P)
Heap object
taint value P
Rezwana Karim
Slide60JavaScript statement processing
StatementExample Code
Generated FactsASSIGNv1 = v2
assign(v
1, v
2
)
OBJECT LITERAL
v = {}
ptsTo
(v,
h
fresh
)
STORE
v
1
.f = v
2
store(v
1
, f, v
2
)
LOAD
v
1
= v
2
.f
load(v
1
, v
2
, f)
60
Rezwana Karim
[
Gatekeeper
,
Guarnieri
et al.
,
Usenix
Security
’
09]
Slide61Inference rules
Basic Rules
ptsTo
(V1
, H) :-
ptsTo
(V
2
,
H),
assign(V
1, V2 )
ptsTo
(V
2
, H
2
)
:-
load(V
2
,
V
1
,
F),
ptsTo
(V
1
,
H
1
),
heapPtsTo
(H
1
,
F, H2
)
heapPtsTo(H1, F, H2)
:-store(V1
, F, V2
), ptsTo(V1, H1),
ptsTo(V2, H
2)61Taint PropagationisTainted(H1, P):-
heapPtsTo
(H1, F,
H2 ),
isTainted
(H2,
P)
Rezwana Karim
Slide62Capability leak
Multiple waysDirect references to privileged resourcesFunctions returning references to privileged resources
62
var
fileSystemPtr
=
accessToFileSystem
();
exports.fileSystemPtr
=
fileSystemPtr
;
exports.getFileSystem
= function(
){
return
fileSystemPtr
;
}
File
Rezwana Karim
C
apability leaks lead to security principle violation
Slide63Backup slides (Morpheus)
63
Slide64Module template
. . .getProperty: function() {
var propertyName = arguments[0]; var violated = policyChecker.check(<core_module_name>, propertyName);
if
(violated) return {};
var ref = table.getReference(this.id);
switch
(propertyName) {
case
’< depends on the core module >’:
var
retval = ref[propertyName];
var
newref = <new_core_module_instance> ; table.setReference(newref.id, retval);
return
newref;
...
/* more case statements */
default
:
return
null;
}
} . . .
64
Slide65Security properties
ProviderProperty
P1Isolated Jetpack modulesP2Jetpack
The set of privileges a module depends on imported(
i) user modules (ii)
core modules and (iii) direct access to sensitive resource
P3
Module privilege is fixed at runtime
P4
Modules lie in chrome space and separated by process from Web page content
65
Limit vulnerability effect
only
to compromised module
I
ncreases the minimum number of modules to be comprised
Rezwana Karim
Slide66Security properties(cont’d)
ProviderProperty
P5Only core module can directly access a sensitive resourceP6
Each core module is limited to encapsulates reference to only one
sensitive resource
P7
Morpheus
Core modules can not import any user module
P8
Each module exports only an opaque identifier and
accessor
methods
P9
Reference to the sensitive objects are stored within a designated module
P10
Policy checker
Access
to
a particular sensitive resource by a core module is
mediated by security policy
66
Rezwana Karim