Techniques and Tools for Secure Web Browser Extension Development - PowerPoint Presentation

Slide1

Techniques and Tools for Secure Web Browser Extension Development

Rezwana KarimComputer Science, Rutgers University

Committee: Prof. Vinod Ganapathy(Chair), Prof. Ulrich Kremer, Prof. Santosh Nagarkatte, Prof. Long Lu(Stony Brook University)

8/14/15

PhD Defense Talk

Slide2

Platforms with extensibility

2

Rezwana Karim

Slide3

Web browser extension

Rezwana Karim

3

Slide4

Extensions are everywhere

Google ToolbarSearch by Image

Video DownloadHelper

Invisible Hand

Honey

Weather Watcher

Gmail Manager

Greasemoneky

Click and Clean

Firebug

Unfriend Notify for Facebook

Social fixer

Adblock

HTTPS everywhere

LastPass

Evernote

Web Clipper

Strict Workflow

Instapaper

Pocket

ESPNCricinfo

Pic2Pixlr

Rezwana Karim

4

Slide5

Extensions are everywhere

Google ToolbarSearch by Image

Video DownloadHelper

Invisible Hand

Honey

Weather Watcher

Gmail Manager

Greasemoneky

Click and Clean

Firebug

Unfriend Notify for Facebook

Social fixer

Adblock

HTTPS everywhere

LastPass

Evernote

Web Clipper

Strict Workflow

Instapaper

Pocket

ESPNCricinfo

Pic2Pixlr

Rezwana Karim

5

Sensitive

resources

Network

OS

File system

Cookies

Password

History

Preference

Camera

Different from Web applications

Slide6

Extension ecosystem

6

Rezwana Karim

Feature-rich platform

Privileged API

Increased download

Slide7

Popularity of browser extensions

Firefox extensions in usehttps://addons.mozilla.org/en-US/statistics/

7

Rezwana Karim

> 53, 000 (February, 2013)

>10 million users for

Adblock

plus

> 14, 000 (July, 2015)

>

19 million users for

Adblock

plus

Slide8

Slide9

V

ulnerable extensions jeopardize platform security

9

www.evil.com

Insecure Programming Practice



Exploitable vulnerability

[Barth

et al.

, NDSS

‘

10

] [

bhandhakavi

et al.

,

Usenix

Security

‘

10

]

Rezwana Karim

Slide10

Safeguard platform from vulnerable third party extensions

Rezwana Karim

10

Slide11

Legacy extension architecture

11Web page

Extension Code(Web Script + Extension Script)

Interact with

Web pages

Access sensitive

resource

Extension Script:

JavaScript code executing within the

secure world

Web Script:

JavaScript code

executing on

the

insecure web page world

Rezwana Karim

Sensitive

resources

File system

Network

Cookies

History

Password

Preference

Camera

OS

Slide12

Modern extension: Layered defense architecture

12

Web page

Extension Code

(Web Script + Extension Script)

Interact with

Web pages

Access sensitive

resource

Rezwana Karim

Sensitive resources

Manifest

Web

Script

Extension

Script

Insecure World

S

ecure World

Principle of Least Authority (POLA)

Isolation

Privilege

Separation

Slide13

Defense-in-depth strategy

13

Developer’s expertise

effect extension

security

File

Network

Main

Rezwana Karim

[Karim

et al.

, ECOOP

‘

12]

Slide14

Research questions

How can we simplify secure extension development?How to detect security principle violations in browser extensions?How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles?14

Analyzing the interactions with sensitive resources in extension code

Slide15

Extension Security: Solution spectrum

Rezwana Karim

15

1)

SABRE

[ACSAC ‘09],

Secure extensibility

[

Usenix

Sec ‘10]

Key Idea:

Taint tracking

2)

Sentinel

[DIMVA‘13]

,

IBEX

[S&P ‘11]

Key Idea:

Runtime policy enforcement

1)

VEX

[

Usenix

Sec ‘09]

Key Idea:

Static

t

aint analysis

2

) Security Signature

[CGO

’

14]

Key Idea:

Information flow and API usage

1) Beacon

[ECOOP‘12]

2) Morpheus

[ECOOP ‘14]

Morpheus

[ECOOP ‘14]

Slide16

Module Interaction

16var file = require(“file”);

file.readFile (“zipCodeFile”);. . .Main

v

ar fileSystemPtr

=

accessToFileSystem

();

exports.readFile

= function

readFile

(

fileName

){ //read the content of fileName

. . . // return the content

. . .

};

File

Rezwana Karim

Capability:

Privilege

to access sensitive

resources

Slide17

Research questions

How can we simplify secure extension development?How to detect security principle violations in browser extensions?How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles?

17

Rezwana Karim

Slide18

Key Idea: Detect capability leaks

18

FileNetworkMain

Rezwana Karim

Capability leaks through module interface leads to vulnerability

Slide19

Capability flow analysis

Static analysis of JavaScript(JS) modulesPoints-to analysisInformation flow Taint: capabilitySource : privileged resource accessSink: ‘exports’ interface Call graph basedContext and flow insensitive

19

Rezwana Karim

Slide20

Capability flow in

object hierarchy20

ax

y

p

z

Rezwana Karim

var

a = {

x : object,

y : {

p :

fileSystemPtr

,

z : object

}

}

Slide21

Capability flow

using Datalog21

axy

p

z

ptsTo(v

a

, h

a

)

ptsTo(v

y

, h

y

)

ptsTo(v

z

, h

z

)

ptsTo(v

p

, h

p

)

ptsTo(v

x

, h

x

)

heapPtsTo(h

y

, z, h

z

)

heapPtsTo(h

a

, y, h

y

)

heapPtsTo(h

y

, p, h

p

)

var

a ={

x : object,

y:{

p:

fileSystemPtr

,

z: object

}

}

isTainted(h

p

, file)

isTainted(h

y

, file)

isTainted(h

a

, file)

store(v

y

, p, v

p

)

heapPtsTo(h

a

, x, h

x

)

Rezwana Karim

[

Gatekeeper

,

Guarnieri

et al.

,

Usenix

Security

’

09]

Slide22

Beacon: Capability flow analysis tool

22Call graph generator

SSA analyzerInference engine

SSA

format

Imported module

summaries

Rules for JS to Datalog translation

Taint

inference rules

Initial facts

Points-to

rules

Heap allocation

Capability

analysis

report

Rezwana Karim

2.8k lines of Java,

Datalog

Tools Used : WALA, DES

Slide23

Evaluation

Jetpack: Mozilla’s new browser extension frameworkOver 600 Jetpack modulesModules from 359 Jetpack extensions68k lines of JavaScript code

23

Rezwana Karim

Slide24

Capability leak

36 leaks in over 600 modules12 in vendor code24

ModulesCapabilityLeak Mechanism

Essential

tabs/utils

Active tab, browser window and tab container

Function return

yes

window-

utils

Browser window

Function return

yes

xhr

Reference to the

XMLHttpRequest

object

Property of this object

no

xpcom

Entire XPCOM utility module

Exported property

no

E

ffect all extensions developed on top

of it

Rezwana Karim

Slide25

Capability leaks: developer code

2524 leaks in 359 extensions

ExtensionCapabilityCount

Bookmarks

Deiconizer

Sensitive

resource service module

1

Browser Sign In

Window, document

2

Customizable Shortcut

Preference, DOM, window

3

Firefox Share

Preference,

window, database, observer

database, stream, network

10

Most Recent Tab

Preference, window

2

Open Web

Apps

Preference, window, database, observer

4

Recall Monkey

IOService

,

favIcon

2

Not required for functionality

Rezwana Karim

Slide26

Accuracy: Capability leak

No False PositiveMay miss some leaksDynamic featuresIterator, generatorUnsupported JS constructsfor..

each, yield, case statement over a variableUnmodeled JS constructseval, with Latent bugs

26

Rezwana Karim

Slide27

Violation of privilege

separation27Rezwana Karim

26 modules in 19 extensions

Slide28

Violation of POLA

Beacon generates 18 warnings, 7 false positive28

Vendor modulePrivilegeSeverity

file

Directory service

Moderate

hidden-frame

Timer

None

tab-browser

Errors

None

content/content-proxy

Chrome

Critical

content/loader

File

Moderate

content/worker

Chrome

Critical

keyboard/

utils

Chrome

Critical

clipboard

Errors

None

widget

Chrome

Critical

windows

XPCOM,

apiUtils

Critical

Rezwana Karim

Mozilla acknowledged and removed these violations

https://github.com/mozilla/addon-sdk/pull/

291

Slide29

Research questions

How can we simplify secure extension development?How to detect security principle violations in browser extensions?How to transform a legacy vulnerable extension into a secure extension that adheres to the security principles?29

Rezwana Karim

Slide30

Legacy to modern

transformationLegacy

Modern

Time consuming, labor-intensive

Deep and clear understanding of differences between two programming models

~10000 popular

l

egacy extensions

Morpheus

Design Challenges

Privilege

Separation

POLA

Preserve

UI

30

Rezwana Karim

Slide31

Challenge 1: Privilege Separation

Secure/Insecure partitionPartition monolithic code into isolated JavaScript modules

Increase the minimum number of modules to be compromised

31

Rezwana Karim

Slide32

Secure/Insecure world partition

32

Legacy

Modern

Static dataflow analysis to identify object’s context

Rewrite property access with

accessor

Opaque identifiers for shared objects

E

mulating

synchronous communication over asynchronous channel

.

getProperty

(‘

contentDocument

’)

gBrowser

contentDocument

Secure

Insecure

Asynchronous communication

gBrowser.contentDocument

Rezwana Karim

Slide33

Partition into multiple modules

33File

NetworkWeather

Main

Rezwana Karim

(Legacy)

DisplayWeather

Sensitive

resources

Slide34

Challenge 2: Conformance to POLA

Only required modules are importedNo capability leak across module interfaceEncapsulate privileged objectExposes only

accessor methods; returns Primitive values An instance of a moduleGenerate Manifest34

Rezwana Karim

Slide35

Transforming l

egacy code35

Node n in ASTExpression ξRewrite with ‘require’ o := object(

ξ)

o is sensitive OR

o

is in

content

Rewrite with ‘

getProperty

’/ ’

setProperty

’

o := object(ξ) o is sensitive OR

o is in content

Rewrite with ‘invoke

’

Rewrite with ‘

require’

Extract User module

Rewrite with ‘

GlobalGET

’ / ‘

GlobalSET

’

Sensitive resource invoke

Property access

Method invoke

Object Literal

Global access

Rezwana Karim

Slide36

C

ore module usage36

file module

var

file =

fileSystemsPtr

;

v

ar

_module_

=

{

invoke: function(

methodName

,

args

){

. . .

//switch case },

. . .}

e

xports.module

= _module_;

main.js

var

data =

fileSystemPtr.read

(

‘

zip.txt

’);

require(‘file’).module.

invoke(‘read’, ‘

zip.txt

’);

Identify sensitive resource usage

Replace with core module

Rezwana Karim

Slide37

Extracting

user moduleIdentifies and groups related functionality into a single module

37main.jsfunction readZipCodeFromFile(location){...}var

Weather = { ...

getWeatherData:function(zipcode

){

...

return

Weather.requestDataFromServe

(

zipcode

)

; },

requestDataFromServer: function(

zipcode

){...},

}

f

unction

showWeather

(){

...

var

temperature =

Weather.getWeatherData

(

zipcode

);

...

}

var

Weather = require(‘user/Weather’).module;

GlobalSET

(’Weather’, Weather);

Weather.invoke

(

‘

getWeatherData

’,

zipcode

);

Rezwana Karim

Slide38

Extracted Weather module

38

Weather module

var

_module_

= {

...

getWeatherData

: function(

zipcode

)

{

return GlobalGET(’Weather’).invoke (

’

requestDataFromServer

’,

zipcode

);

},

requestDataFromServer

: function(

sendData

)

{ ...

}

}

exports.module

=

_module_;

Rezwana Karim

Slide39

Preserve UI

Analyzes legacy extension’s XUL overlay file, resource URI, CSS, iconsGenerates JS code to dynamically modify the browser’s UI39

Rezwana Karim

<

statusbar

id=‘

sb

’

onclick

=

‘

alert(

“

Hi

”

)

’

>

...

</

statusbar

>

var

sb

= document.

getElemenById

(‘

sb

’

);

sb

[“

onclick

”

]=function(){

alert

(‘Hi’);

}

L

egacy XUL code

Generated JS code

Slide40

Policy checker

40CHECKModule: m

Property: p ArgList: αα[‘file-path’] allowed?

α[‘

url’] allowed?

violating source(m’, p’, α’) already accessed?

m = ‘file’

p

= ‘read’

m = ‘network’

p

= ‘open’

(m, p,

α

) is sink

.

. .

.

. .

Yes

Yes

Yes

No

No

No

Rezwana Karim

Slide41

Module level privilege computation

Let, P(m) : the set of privileges that can be accessed by a module m m → x : module m has direct access to sensitive resource x

mi → mj : module mi imports module mj

mu

: user module in an extension,

m

c

: core module in

an extension

Core module User module

41

P(m) :=

{ P(x) | m → x }

U

P(m) :=

{ P(m

c

) | m→m

c

}

{ P(m

c

) |

m→m

c

}

Rezwana Karim

Module privilege is fixed at runtime

Slide42

Security analysis of transformed DisplayWeather

extension42File

NetworkWeather

Main

Policy Checker

network

file

network

file

Login Manager

password

password.txt

Rezwana Karim

Limit vulnerability effect

only

to compromised module

I

ncreases the minimum number of modules to be comprised

Slide43

Morpheus: Implementation

43

2.9

k

lines

of

JavaScript

10.5k

lines implementing

100

core

modules

Rezwana Karim

Slide44

Evaluation

DatasetExtensions developed using JavaScript, HTML, XUL, CSS52 Legacy extensions: 50 real-world, 2 syntheticCorrectness of

transformationManually exercised advertised functionality All transformed (Jetpack) extensions retains advertised functionality

44

Rezwana Karim

Slide45

Evaluation: Conformation

to POLACapability leaks lead to POLA violation

Used Beacon

to verify that

no module leak reference to privileged objects

45

[Karim

et al.

, ECOOP

‘

12]

Rezwana Karim

File

Network

Main

Slide46

Evaluation: Effectiveness of user module extraction

46

Privilege separation in user modules

Rezwana Karim

#

C

ore modules

Slide47

Modules

accessing multiple categories of core modules47Rezwana Karim

CategoriesI : ApplicationII: BrowserIII: DOMIV: I/OV: SecurityVI: Misc.

Slide48

Runtime policy checking

PolicyGeneric# extensions

Contact only specified remote server No3Access only files in profile directory as advertisedNo

1

Cannot access preference branch other than its own

Yes

2

Cannot contact server if the extension has already accessed file system

Yes

1

Cannot contact server if the extension has already accessed

LoginManager

Yes

1

Cannot contact server if the extension has access browsing history

Yes

1

Cannot contact server if the extension has access browser cache

Yes

2

48

Rezwana Karim

Slide49

Limitations

Plethora of privileged APIsExtensions with binary component Performance slowdown due to repeated context switchesMight require Developer assistance Encoding extension-specific policy

Rewriting special cases like comparison against HTMLDocument49

Rezwana Karim

Slide50

Summary

Extension security depends on developer expertise and meticulous effortHow to detect security principle violations in Web browser extensions?Beacon[ECOOP

’12]: a system for capability flow analysisHow to transform a vulnerable extension into a secure extension that adheres to these principles?Morpheus[ECOOP ’14

]: automate transformation toolchain

50

Results acknowledged by

Mozilla

https

://github.com/mozilla/addon-sdk/pull/

291

Rezwana Karim

Slide51

Web technology in app development

51

Rezwana Karim

50% apps by 2016

-

Gartner

42%

app developers already using

Most popular technology in emerging

markets

–

Vision Mobile, Q3,2014

Slide52

My research

52

Rezwana Karim

Simplify app development

Security

Cross-platform app UI

Beacon

[ECOOP’12]

Morpheus

[ECOOP’14]

WebC

[FSE’13]

DECOR

[FSE’15]

Slide53

Other contributions

Simplifying Programming for the Web [ISEC 2015] Best Paper AwardFast, Memory-efficient Regular Expression Matching with NFA-OBDDs [Computer Network Journal]

Improving NFA-based Signature Matching using Ordered Binary Decision Diagrams [RAID2010]53

Rezwana Karim

Slide54

Future direction

54

Rezwana Karim

Simplify app development

Security

Cross-platform app UI

Context-sensitive UI

in

IoT

App security in

IoT

Porting app across platforms

Slide55

Acknowledgements

Dissertation advisorVinod GanapathyPhD Committee membersUlrich Kremer, Santosh

Nagarkatte, Liviu Iftode, Long LuCo-authorsNishant Sinha (IBM Research)

Chung-chieh Shan (Indiana University

)Mohan Dhawan

(IBM Research

)

Liu Yang (HP)

Randy Smith (Sandia National Lab)

Discolab

members

Steve

smaldone

, Pravin Shankar, Lu Han, Shakeel

Butt, Amruta Gokhale

,

Nader

Boushehrinejadmoradi

,

Daeyoung

Kim,

Hai

Nguyen,

Daehan

Kawk

,

Ruilin

Liu and several other past and present members

Friends and Family

Rezwana Karim

55

Slide56

Thank you

rkarim@cs.rutgers.eduhttp://paul.rutgers.edu/~rkarim56

Slide57

Backup slides (Beacon)

57

Slide58

Proof of concept example: Customize-shortcut

const {Cc, Ci} = require("chrome");let Preferences = {

branches: {}, .. . getBranch: function (name) { let

branch = Cc["@

mozilla.org/preferences-service;1"] .

getService

(

Ci.nsIPrefService

).

getBranch

(name)

;

…

return this. branches [name] = branch; }

, ... };

exports. Preferences

= Preferences

;

58

Slide59

Datalog relations: capability flow analysis

Points-to analysis

RelationDescription

Heap Mapping

ptsTo

(V, H)

Variable

points-to relation

heapPtsTo

(H1, F, H2)

Heap objects points-to

relation

Object Manipulation

assign(V1, V2)

Variable assignment

store(V1, F, V2)

Field store

load(V1, V2, F)

Field Load

59

Taint Inference

Relation

Description

Capability

flow

isTainted

(H, P)

Heap object

taint value P

Rezwana Karim

Slide60

JavaScript statement processing

StatementExample Code

Generated FactsASSIGNv1 = v2

assign(v

1, v

2

)

OBJECT LITERAL

v = {}

ptsTo

(v,

h

fresh

)

STORE

v

1

.f = v

2

store(v

1

, f, v

2

)

LOAD

v

1

= v

2

.f

load(v

1

, v

2

, f)

60

Rezwana Karim

[

Gatekeeper

,

Guarnieri

et al.

,

Usenix

Security

’

09]

Slide61

Inference rules

Basic Rules

ptsTo

(V1

, H) :-

ptsTo

(V

2

,

H),

assign(V

1, V2 )

ptsTo

(V

2

, H

2

)

:-

load(V

2

,

V

1

,

F),

ptsTo

(V

1

,

H

1

),

heapPtsTo

(H

1

,

F, H2

)

heapPtsTo(H1, F, H2)

:-store(V1

, F, V2

), ptsTo(V1, H1),

ptsTo(V2, H

2)61Taint PropagationisTainted(H1, P):-

heapPtsTo

(H1, F,

H2 ),

isTainted

(H2,

P)

Rezwana Karim

Slide62

Capability leak

Multiple waysDirect references to privileged resourcesFunctions returning references to privileged resources

62

var

fileSystemPtr

=

accessToFileSystem

();

exports.fileSystemPtr

=

fileSystemPtr

;

exports.getFileSystem

= function(

){

return

fileSystemPtr

;

}

File

Rezwana Karim

C

apability leaks lead to security principle violation

Slide63

Backup slides (Morpheus)

63

Slide64

Module template

. . .getProperty: function() {

var propertyName = arguments[0]; var violated = policyChecker.check(<core_module_name>, propertyName);

if

(violated) return {};

var ref = table.getReference(this.id);

switch

(propertyName) {

case

’< depends on the core module >’:

var

retval = ref[propertyName];

var

newref = <new_core_module_instance> ; table.setReference(newref.id, retval);

return

newref;

...

/* more case statements */

default

:

return

null;

}

} . . .

64

Slide65

Security properties

ProviderProperty

P1Isolated Jetpack modulesP2Jetpack

The set of privileges a module depends on imported(

i) user modules (ii)

core modules and (iii) direct access to sensitive resource

P3

Module privilege is fixed at runtime

P4

Modules lie in chrome space and separated by process from Web page content

65

Limit vulnerability effect

only

to compromised module

I

ncreases the minimum number of modules to be comprised

Rezwana Karim

Slide66

Security properties(cont’d)

ProviderProperty

P5Only core module can directly access a sensitive resourceP6

Each core module is limited to encapsulates reference to only one

sensitive resource

P7

Morpheus

Core modules can not import any user module

P8

Each module exports only an opaque identifier and

accessor

methods

P9

Reference to the sensitive objects are stored within a designated module

P10

Policy checker

Access

to

a particular sensitive resource by a core module is

mediated by security policy

66

Rezwana Karim