the most dangerous code in the browser stefan heule, devon rifkin, alejandro russo, deian stefan...

20
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Upload: camilla-willis

Post on 19-Dec-2015

213 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

The Most Dangerous Code in the Browser

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

Stanford University, Chalmers University of Technology

Page 2: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Web Browsers Today

• One of the most popular application platforms– Easy to deploy and access– Almost anything available as a web app– Including very sensitive content (e.g., banking,

email, passwords, health care)

• Security built in– E.g., website cannot steal locally stored photos– Achieved through, e.g., same-origin policy (SOP)– User does not need to worry about this

Page 3: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Browser Extensions

• Users want more functionality– Customize websites: content, behavior and

display– New functionality for websites– Change browser

• Browsers provide extension systems

Page 4: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Extension Security

• Extensions are meant to interact with websites– Challenging for user privacy and security

• Firefox– Extensions are powerful• Can change almost any aspect (and run native

code)

– Can be installed from anywhere–Web store: static analysis and human

review

Page 5: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Chrome Extension Security

• Split into extensions and plugins

• Plugins: native code– Flash, Java, PDF, Silverlight– Require manual review

• Extensions: JavaScript based– Vast majority are in this category– Extension can only be installed from Chrome

Web Store

Page 6: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Chrome Extension Architecture

Content Script

Extension Core

HistoryTabsDOM

Proc

ess

Boun

dary

Isolated worlds

Page 7: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Chrome Threat Model

• Extensions are benign-but-buggy– Protect extensions from websites

• Principle of least privilege– Extensions ask for permissions– Typically asked for at install time

Page 8: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Permissions of Top 500 Extensions

• 71.6% can “Read and modify all your data on all websites you visit”

Page 9: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Permissions are Meaningless

1 19 37 55 73 91 109 127 145 163 181 199 217 235 253 271 289 307 325 343 361 379 397 415 433 451 469 4870

0.2

0.4

0.6

0.8

1

1.2

10

100

1000

10000

100000

1000000

10000000

Percentage of top n extensions with 'Read and change all your data on the websites you visit'

Percentage of top n extensions with access to all HTTPS data

Number of users

n / Extension number

Perc

enta

ge

Num

ber o

f use

rs

Page 10: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Problems

• Permissions are broad and vague; without context

• Users desensitized to permission requests

• Incentives for developers to asks for too many permissions– Adding permissions later requires user action

• Attacker model assumes extensions to be benign

Page 11: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Attacks in the Wild

• Google recently removed ~200 malicious extensions [Oakland’15]– 5% of unique IPs accessing Google had at

least one malicious extension– Some injected ads, others steal personal

information

• Popular extension developers get contacted to sell extension– And then update with malicious code

Page 12: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

New Extension System: Goals

1. Handle mutually distrusting code– Extensions are protected from websites– Sensitive (website) user data is protected from

extensionsAttacker executes arbitrary extension to leak user data

2. Provide a meaningful permission system– Safe behavior should not require permission– Permissions should be fine-grained and content-

specific

3. Incentivize safety– Many extensions should not require permissions

Page 13: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Preliminary Design

• Reading sensitive data is safe– if not disseminated arbitrarily

•Mandatory access control (MAC) confinement– Track sensitivity of information through

application

• Proposal: use coarse-grained confinement system like COWL [OSDI’14]

Page 14: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Example: Google Mail Checker

• Extension reads unread count from gmail– Gets tainted with mail.google.com– No further communication with evil.com

allowed

• Not all extensions are this simple– Need richer extension APIs

Page 15: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Explicit Sharing

• Some users want to leak information– Save snippet to Evernote– Share webpage to Pintrest

• Forbidden according to MAC– Corresponds to information declassification

• Leverage user intent with a sharing API– Trusted UI, e.g. “Share with …” context

menu

Page 16: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Encrypted Sharing

• System allows labeled values– Can freely be passed, only tainted when inspected

• Encryption API takes labeled value, returns unlabeled encrypted value– Can now be freely shared, e.g. sync to other device

• Secure LastPass-style password manager– Cloud only sees encrypted values, user controls

master key– When decrypted, passwords cannot leave browser

due to MAC

Page 17: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

More APIs

• Declarative CSS API– Change the display of a website

•Networking API– E.g., to block undesired requests (AdBlock)

• DOM access– Isolate extension from website using

shadow DOM

Page 18: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Safe by Default

• When a large class of extensions can be written safely without permissions, warnings can become meaningful again

Page 19: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Conclusion

• Extensions most dangerous to user privacy– This need not be!

• Strong guarantees of MAC-based confinement system allow many extensions to be safe

• Meaningful permissions/warnings otherwise– Fine-grained and content specific, at runtime

Page 20: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology

Questions?Thank you

:-)