35
VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN

VEX: Vetting browser extensions for security vulnerabilities

  • Upload
    vera

  • View
    31

  • Download
    0

Embed Size (px)

DESCRIPTION

VEX: Vetting browser extensions for security vulnerabilities. Xiang Pan. ROADMAP. Background Threat Model Static Information Flow Analysis Evaluation Related Works. Extensions. Extensions Vs. Plugins Plugins are complicated, loadable modules. Flash and Java are two examples - PowerPoint PPT Presentation

Citation preview

Page 1: VEX: Vetting browser extensions for security vulnerabilities

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES

XIANG PAN

Page 2: VEX: Vetting browser extensions for security vulnerabilities

ROADMAP1. Background2. Threat Model3. Static Information Flow Analysis4. Evaluation5. Related Works

Page 3: VEX: Vetting browser extensions for security vulnerabilities

EXTENSIONSExtensions Vs. Plugins1. Plugins are complicated, loadable modules. Flash and

Java are two examples2. Extensions are written mostly in JavaScript. They act as

part of the browser and they have wider access privileges than JS-in-a-webpage

150 million extensions are in use

Page 4: VEX: Vetting browser extensions for security vulnerabilities

EXTENSIONS ARCHITECTURE IN FIREFOX

Page 5: VEX: Vetting browser extensions for security vulnerabilities

EXTENSIONS ARE NOT SECURE1. Developers:

1. Many developers write extensions because of hobbies2. Likely to write vulnerable extensions 3. Don’t have time or interests to update their extensions

2. Reviewers:1. Not possible to understand all the extensions2. Don’t need to have great knowledge about extensions or

security3. Follow guidelines for what is not acceptable:

1. The guidelines focus on finding malicious extensions2. Vulnerable extensions can quiet easily slip through.

Page 6: VEX: Vetting browser extensions for security vulnerabilities

EXAMPLESReal Extension Vulnerabilities

by Roberto Suggi Liverani and Nick Freeman

http://www.securitytube.net/video/3492

Page 7: VEX: Vetting browser extensions for security vulnerabilities

SKYPE(<=3.8.0.188)ISSUE:

Automatic arbitory

Page 8: VEX: Vetting browser extensions for security vulnerabilities
Page 9: VEX: Vetting browser extensions for security vulnerabilities
Page 10: VEX: Vetting browser extensions for security vulnerabilities
Page 11: VEX: Vetting browser extensions for security vulnerabilities
Page 12: VEX: Vetting browser extensions for security vulnerabilities
Page 13: VEX: Vetting browser extensions for security vulnerabilities
Page 14: VEX: Vetting browser extensions for security vulnerabilities
Page 15: VEX: Vetting browser extensions for security vulnerabilities
Page 16: VEX: Vetting browser extensions for security vulnerabilities
Page 17: VEX: Vetting browser extensions for security vulnerabilities

Mozilla has a team of volunteers who help vet extensions manually.

Trusted add-on can’t always be trusted

Vietnamese Language Pack

VET EXTENSION

Page 18: VEX: Vetting browser extensions for security vulnerabilities

THREAT MODELGOAL:

finding security vulnerabilities in browser extensionsASSUMPTIONS:

1. Developers are not malicious2. Extensions are not obfuscated

Page 19: VEX: Vetting browser extensions for security vulnerabilities

POINTS OF ATTACK1. eval function2. InnerHTML3. EvalInSandBox4. wrappedJSObject

Page 20: VEX: Vetting browser extensions for security vulnerabilities

STATIC INFORMATION FLOW ANALYSIS1. Basic Goals

Source

Sink

Find Suspicious FlowPattern

Page 21: VEX: Vetting browser extensions for security vulnerabilities

SUSPICIOUS FLOW PATTERN1. Resource Description Framework (RDF) data to InnerHTML2. Content document data to eval3. Content document data to innerHTML4. evalInSandbox return objects used improperly by code

running with chrome privileges5. wrappedJSObject return object used improperly by code

running with vulnerabilities

The five flows don’t always result in a vulnerability and they are not an exhaustive list of all possible extension security bugs.

Page 22: VEX: Vetting browser extensions for security vulnerabilities

STATIC INFORMATION FLOW ANALYSIS1. Static Vs. Dynamic

1. Static: efficient and Complete2. Dynamic: accurate

2. Context Sensitive and Flow Sensitive

Abstract Heap is Required!

Page 23: VEX: Vetting browser extensions for security vulnerabilities

ANALYSIS DETAILS1. Variable Access

1. Check current scope (heap)2. Check global scope (heap)3. Create a new node and add it to global scope4. Ignore prototype5. Return with dependencies

Page 24: VEX: Vetting browser extensions for security vulnerabilities

ANALYSIS DETAILS2. Binary Operators

1. Return the union of dependencies of both expressions3. Object

1. Create heap locations for each of its properties2. Create a node for the object3. Link the object node to its property nodes

Page 25: VEX: Vetting browser extensions for security vulnerabilities

ANALYSIS DETAILS4. Function

1. Create heap location for each of its properties2. Create heap location for each of the arguments3. Create heap location for return value4. Create heap location for itself5. A function call executes all the argument parameters and

updates corresponding nodes6. If a function is not defined, the dependencies of the return

values are the union of dependencies of all the arguments

7. Does a function call execute the statements again?

Page 26: VEX: Vetting browser extensions for security vulnerabilities

ANALYSIS DETAILS5. Variable Declaration

1. If the variable doesn’t exist in current scope, create a new node.

2. Otherwise, replace the current one.6. Assignment

1. Evaluate left side expressions and right side expressions2. Replace the node on the left with the one on the right

Page 27: VEX: Vetting browser extensions for security vulnerabilities

ANALYSIS DETAILS7. Condition

Both IF and ELSE branches needs to be evaluated.

8. WhileWhile body needs to be evaluated till reaching a fixed point

Page 28: VEX: Vetting browser extensions for security vulnerabilities

ANALYSIS DETAILS9. EVAL

if the argument is constant string, the string will be inserted into the codes and analyzed as codes.

If the strings are not statically known, they are ignored.

VEX is unsound

Page 29: VEX: Vetting browser extensions for security vulnerabilities

ANALYSIS DETAILS10. Object properties accessed in the form of associative

arrays.In JavaScript, objects are treated as associative arrays

VEX doesn’t know which property is set. Whenever a property is created, its dependencies are added to the dependencies of the node.

Page 30: VEX: Vetting browser extensions for security vulnerabilities

EVALUATIONDownload a total of 2452 extensions, on an average, VEX took only 15.5 seconds per extension

Page 31: VEX: Vetting browser extensions for security vulnerabilities

SUCCESSFUL ATTACKSWikipedia, Toolbar, up to version 0.5.9

Page 32: VEX: Vetting browser extensions for security vulnerabilities

SUCCESSFUL ATTACKSFizzle versions 0.5, 0.5.1, 0.5.2

Page 33: VEX: Vetting browser extensions for security vulnerabilities

SUCCESSFUL ATTACKSBeatnik Version 1.2

Page 34: VEX: Vetting browser extensions for security vulnerabilities

FLOWS THAT DO NOT RESULT IN ATTACKS1. Source is trusted (what about XSS?)2. Sanitized input (Complete?)3. Non-chrome sinks (less privileges)

Page 35: VEX: Vetting browser extensions for security vulnerabilities

RELATED WORKS1. Plugin security2. Dynamic information flow analysis for browser

extensions3. Flow-insensitive static information flow methods for

JavaScript