張逸文

PROTECTING BROWSERS FROM EXTENSION VULNERABILITIES

NDSS 2010Adam Barth, University of California, BerkeleyAdrienne Porter Felt , University of California, BerkeleyPrateek Saxena , University of California, BerkeleyAaron Boodman, Google,Inc.

2 OUTLINE

Introduction

Firefox Extension System

Google Chrome Extension System

Performance

Conclusion

3 OUTLINE

Introduction

Extensions

Benign-but-buggy Extensions

Firefox Extension System

Google Chrome Extension System

Performance

Conclusion

4 INTRODUCTION

1/3 of Firefox users run at least 1 extension

Extend, modify and control browser behavior

Provide rich functionality and add features

Browser extensions differ from browser plug-ins

Extensions -- 使用瀏覽器的擴充介面，用來加強或增加瀏覽器功能的小程式 Plug-ins -- 使用 Netscape提供的 NPAPI為介面，提供跨瀏覽器協力支援的程式。

5 INTRODUCTION

Benign-but-buggy extensions

Extensions aren’t written by security experts

Extensions interact extensively with web sites

Firefox extensions run with the browser’s full privileges

An attacker can usurp the extension’s broad privileges

6 INTRODUCTION

Attacking Example

R. S. Liverani and N. Freeman, “Abusing Firefox Extensions”, Defcon17, July 2009

install a remote desktop server on the user’s machine

7 OUTLINE

Introduction

Firefox Extension System

Attacks on Extensions

Limiting Firefox Extension Privileges

Google Chrome Extension System

Performance

Conclusion

8FIREFOX EXTENSION

SYSTEM

Attacks on Extensions

1. Cross-site Scripting

2. Replacing Native APIs

3. JavaScript Capability Leaks

4. Mixed Content

Firefox extensions

High privilege

Rich interaction with distrusted web content

9FIREFOX EXTENSION

SYSTEM

Limiting Firefox Extension Privileges ??

Review 25 Firefox extensions from the 13 categories

Behavior: How much privilege does an extension need?

Implementation: How much privilege does an extension receive?

10FIREFOX EXTENSION

SYSTEM

Firefox Security Severity Ratings:

Critical

High

Medium

Low

None

11FIREFOX EXTENSION

SYSTEM

Result

Only 3 need critical privileges

The other 22 extensions exhibit a privilege gap

12FIREFOX EXTENSION

SYSTEM

Use the same interfaces

13FIREFOX EXTENSION

SYSTEM

14 OUTLINE

Introduction

Firefox Extension System

Google Chrome Extension System

Least privilege

Privilege separation

Strong isolation

Performance

Conclusion

15GOOGLE CHROME

EXTENSION SYSTEM

Least privilege Explicitly requested in the extension’s manifest Developers define privileges in manifest

Execute Arbitrary Code

Web Site Access

API Access

16GOOGLE CHROME

EXTENSION SYSTEM

17GOOGLE CHROME

EXTENSION SYSTEM

Privilege separation

18GOOGLE CHROME

EXTENSION SYSTEM

Isolation Mechanisms

Extension identity -- a public key in the extension’s URL

Process Isolation -- run in different processes

Isolated Worlds -- own JavaScript objects

19GOOGLE CHROME

EXTENSION SYSTEM

20 OUTLINE

Introduction

Firefox Extension System

Google Chrome Extension System

Performance

Conclusion

21 PERFORMANCE

Inter-component communication Round-trip latency between content script & extension

core: 0.8 ms

Isolated Worlds Mechanism

Add 33.3% overhead

22 OUTLINE

Introduction

Firefox Extension System

Google Chrome Extension System

Performance

Conclusion

23 CONCLUSION

Firefox extension system

Extensions are over-privileged

API needs to be tamed for least privilege

New extension system for Google Chrome

Developer encouraged to request few privileges

Extensions have a reduced attack surface

24 動動腦 ~

一日，私塾裡大家都在讀經…只有家家東張西望

老師問家家 :妳為什麼不念呢 ?

因為家家有本難念的經