View
229
Download
0
Category
Preview:
Citation preview
張逸文
PROTECTING BROWSERS FROM EXTENSION VULNERABILITIES
NDSS 2010Adam Barth, University of California, BerkeleyAdrienne Porter Felt , University of California, BerkeleyPrateek Saxena , University of California, BerkeleyAaron Boodman, Google,Inc.
2 OUTLINE
Introduction
Firefox Extension System
Google Chrome Extension System
Performance
Conclusion
3 OUTLINE
Introduction
Extensions
Benign-but-buggy Extensions
Firefox Extension System
Google Chrome Extension System
Performance
Conclusion
4 INTRODUCTION
1/3 of Firefox users run at least 1 extension
Extend, modify and control browser behavior
Provide rich functionality and add features
Browser extensions differ from browser plug-ins
Extensions -- 使用瀏覽器的擴充介面,用來加強或增加瀏覽器功能的小程式
Plug-ins -- 使用 Netscape提供的 NPAPI為介面,提供跨瀏覽器協力支援的程式。
5 INTRODUCTION
Benign-but-buggy extensions
Extensions aren’t written by security experts
Extensions interact extensively with web sites
Firefox extensions run with the browser’s full privileges
An attacker can usurp the extension’s broad privileges
6 INTRODUCTION
Attacking Example
R. S. Liverani and N. Freeman, “Abusing Firefox Extensions”, Defcon17, July 2009
install a remote desktop server on the user’s machine
7 OUTLINE
Introduction
Firefox Extension System
Attacks on Extensions
Limiting Firefox Extension Privileges
Google Chrome Extension System
Performance
Conclusion
8FIREFOX EXTENSION
SYSTEM
Attacks on Extensions
1. Cross-site Scripting
2. Replacing Native APIs
3. JavaScript Capability Leaks
4. Mixed Content
Firefox extensions
High privilege
Rich interaction with distrusted web content
9FIREFOX EXTENSION
SYSTEM
Limiting Firefox Extension Privileges ??
Review 25 Firefox extensions from the 13 categories
Behavior: How much privilege does an extension need?
Implementation: How much privilege does an extension receive?
10FIREFOX EXTENSION
SYSTEM
Firefox Security Severity Ratings:
Critical
High
Medium
Low
None
11FIREFOX EXTENSION
SYSTEM
Result
Only 3 need critical privileges
The other 22 extensions exhibit a privilege gap
14 OUTLINE
Introduction
Firefox Extension System
Google Chrome Extension System
Least privilege
Privilege separation
Strong isolation
Performance
Conclusion
15GOOGLE CHROME
EXTENSION SYSTEM
Least privilege
Explicitly requested in the extension’s manifest
Developers define privileges in manifest
Execute Arbitrary Code
Web Site Access
API Access
18GOOGLE CHROME
EXTENSION SYSTEM
Isolation Mechanisms
Extension identity -- a public key in the extension’s URL
Process Isolation -- run in different processes
Isolated Worlds -- own JavaScript objects
20 OUTLINE
Introduction
Firefox Extension System
Google Chrome Extension System
Performance
Conclusion
21 PERFORMANCE
Inter-component communication
Round-trip latency between content script & extension core: 0.8 ms
Isolated Worlds Mechanism
Add 33.3% overhead
22 OUTLINE
Introduction
Firefox Extension System
Google Chrome Extension System
Performance
Conclusion
23 CONCLUSION
Firefox extension system
Extensions are over-privileged
API needs to be tamed for least privilege
New extension system for Google Chrome
Developer encouraged to request few privileges
Extensions have a reduced attack surface
Recommended