vex: vetting browser extensions for security vulnerabilities
DESCRIPTION
VEX: Vetting browser extensions for security vulnerabilities. Xiang Pan. ROADMAP. Background Threat Model Static Information Flow Analysis Evaluation Related Works. Extensions. Extensions Vs. Plugins Plugins are complicated, loadable modules. Flash and Java are two examples - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/1.jpg)
VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES
XIANG PAN
![Page 2: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/2.jpg)
ROADMAP
1. Background
2. Threat Model
3. Static Information Flow Analysis
4. Evaluation
5. Related Works
![Page 3: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/3.jpg)
EXTENSIONS
Extensions Vs. Plugins
1. Plugins are complicated, loadable modules. Flash and Java are two examples
2. Extensions are written mostly in JavaScript. They act as part of the browser and they have wider access privileges than JS-in-a-webpage
150 million extensions are in use
![Page 4: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/4.jpg)
EXTENSIONS ARCHITECTURE IN FIREFOX
![Page 5: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/5.jpg)
EXTENSIONS ARE NOT SECURE
1. Developers:
1. Many developers write extensions because of hobbies
2. Likely to write vulnerable extensions
3. Don’t have time or interests to update their extensions
2. Reviewers:
1. Not possible to understand all the extensions
2. Don’t need to have great knowledge about extensions or security
3. Follow guidelines for what is not acceptable:1. The guidelines focus on finding malicious extensions
2. Vulnerable extensions can quiet easily slip through.
![Page 6: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/6.jpg)
EXAMPLES
Real Extension Vulnerabilities
by Roberto Suggi Liverani and Nick Freeman
http://www.securitytube.net/video/3492
![Page 7: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/7.jpg)
SKYPE(<=3.8.0.188)
ISSUE:
Automatic arbitory
![Page 8: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/8.jpg)
![Page 9: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/9.jpg)
![Page 10: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/10.jpg)
![Page 11: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/11.jpg)
![Page 12: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/12.jpg)
![Page 13: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/13.jpg)
![Page 14: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/14.jpg)
![Page 15: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/15.jpg)
![Page 16: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/16.jpg)
![Page 17: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/17.jpg)
Mozilla has a team of volunteers who help vet extensions manually.
Trusted add-on can’t always be trusted
Vietnamese Language Pack
VET EXTENSION
![Page 18: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/18.jpg)
THREAT MODEL
GOAL:
finding security vulnerabilities in browser extensions
ASSUMPTIONS:
1. Developers are not malicious
2. Extensions are not obfuscated
![Page 19: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/19.jpg)
POINTS OF ATTACK
1. eval function
2. InnerHTML
3. EvalInSandBox
4. wrappedJSObject
![Page 20: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/20.jpg)
STATIC INFORMATION FLOW ANALYSIS
1. Basic Goals
Source
Sink
Find Suspicious FlowPattern
![Page 21: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/21.jpg)
SUSPICIOUS FLOW PATTERN
1. Resource Description Framework (RDF) data to InnerHTML
2. Content document data to eval
3. Content document data to innerHTML
4. evalInSandbox return objects used improperly by code running with chrome privileges
5. wrappedJSObject return object used improperly by code running with vulnerabilities
The five flows don’t always result in a vulnerability and they are not an exhaustive list of all possible extension security bugs.
![Page 22: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/22.jpg)
STATIC INFORMATION FLOW ANALYSIS
1. Static Vs. Dynamic
1. Static: efficient and Complete
2. Dynamic: accurate
2. Context Sensitive and Flow Sensitive
Abstract Heap is Required!
![Page 23: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/23.jpg)
ANALYSIS DETAILS
1. Variable Access
1. Check current scope (heap)
2. Check global scope (heap)
3. Create a new node and add it to global scope
4. Ignore prototype
5. Return with dependencies
![Page 24: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/24.jpg)
ANALYSIS DETAILS
2. Binary Operators
1. Return the union of dependencies of both expressions
3. Object
1. Create heap locations for each of its properties
2. Create a node for the object
3. Link the object node to its property nodes
![Page 25: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/25.jpg)
ANALYSIS DETAILS
4. Function
1. Create heap location for each of its properties
2. Create heap location for each of the arguments
3. Create heap location for return value
4. Create heap location for itself
5. A function call executes all the argument parameters and updates corresponding nodes
6. If a function is not defined, the dependencies of the return values are the union of dependencies of all the arguments
7. Does a function call execute the statements again?
![Page 26: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/26.jpg)
ANALYSIS DETAILS
5. Variable Declaration
1. If the variable doesn’t exist in current scope, create a new node.
2. Otherwise, replace the current one.
6. Assignment
1. Evaluate left side expressions and right side expressions
2. Replace the node on the left with the one on the right
![Page 27: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/27.jpg)
ANALYSIS DETAILS
7. Condition
Both IF and ELSE branches needs to be evaluated.
8. While
While body needs to be evaluated till reaching a fixed point
![Page 28: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/28.jpg)
ANALYSIS DETAILS
9. EVAL
if the argument is constant string, the string will be inserted into the codes and analyzed as codes.
If the strings are not statically known, they are ignored.
VEX is unsound
![Page 29: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/29.jpg)
ANALYSIS DETAILS
10. Object properties accessed in the form of associative arrays.
In JavaScript, objects are treated as associative arrays
VEX doesn’t know which property is set.
Whenever a property is created, its dependencies are added to the dependencies of the node.
![Page 30: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/30.jpg)
EVALUATION
Download a total of 2452 extensions, on an average, VEX took only 15.5 seconds per extension
![Page 31: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/31.jpg)
SUCCESSFUL ATTACKS
Wikipedia, Toolbar, up to version 0.5.9
![Page 32: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/32.jpg)
SUCCESSFUL ATTACKS
Fizzle versions 0.5, 0.5.1, 0.5.2
![Page 33: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/33.jpg)
SUCCESSFUL ATTACKS
Beatnik Version 1.2
![Page 34: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/34.jpg)
FLOWS THAT DO NOT RESULT IN ATTACKS
1. Source is trusted (what about XSS?)
2. Sanitized input (Complete?)
3. Non-chrome sinks (less privileges)
![Page 35: VEX: Vetting browser extensions for security vulnerabilities](https://reader035.vdocuments.site/reader035/viewer/2022062517/56813859550346895da002f8/html5/thumbnails/35.jpg)
RELATED WORKS
1. Plugin security
2. Dynamic information flow analysis for browser extensions
3. Flow-insensitive static information flow methods for JavaScript