the most dangerous code in the browser stefan heule, devon rifkin, alejandro russo, deian stefan...
TRANSCRIPT
![Page 1: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/1.jpg)
The Most Dangerous Code in the Browser
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan
Stanford University, Chalmers University of Technology
![Page 2: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/2.jpg)
Web Browsers Today
• One of the most popular application platforms– Easy to deploy and access– Almost anything available as a web app– Including very sensitive content (e.g., banking,
email, passwords, health care)
• Security built in– E.g., website cannot steal locally stored photos– Achieved through, e.g., same-origin policy (SOP)– User does not need to worry about this
![Page 3: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/3.jpg)
Browser Extensions
• Users want more functionality– Customize websites: content, behavior and
display– New functionality for websites– Change browser
• Browsers provide extension systems
![Page 4: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/4.jpg)
Extension Security
• Extensions are meant to interact with websites– Challenging for user privacy and security
• Firefox– Extensions are powerful• Can change almost any aspect (and run native
code)
– Can be installed from anywhere–Web store: static analysis and human
review
![Page 5: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/5.jpg)
Chrome Extension Security
• Split into extensions and plugins
• Plugins: native code– Flash, Java, PDF, Silverlight– Require manual review
• Extensions: JavaScript based– Vast majority are in this category– Extension can only be installed from Chrome
Web Store
![Page 6: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/6.jpg)
Chrome Extension Architecture
Content Script
Extension Core
HistoryTabsDOM
Proc
ess
Boun
dary
Isolated worlds
![Page 7: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/7.jpg)
Chrome Threat Model
• Extensions are benign-but-buggy– Protect extensions from websites
• Principle of least privilege– Extensions ask for permissions– Typically asked for at install time
![Page 8: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/8.jpg)
Permissions of Top 500 Extensions
• 71.6% can “Read and modify all your data on all websites you visit”
![Page 9: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/9.jpg)
Permissions are Meaningless
1 19 37 55 73 91 109 127 145 163 181 199 217 235 253 271 289 307 325 343 361 379 397 415 433 451 469 4870
0.2
0.4
0.6
0.8
1
1.2
10
100
1000
10000
100000
1000000
10000000
Percentage of top n extensions with 'Read and change all your data on the websites you visit'
Percentage of top n extensions with access to all HTTPS data
Number of users
n / Extension number
Perc
enta
ge
Num
ber o
f use
rs
![Page 10: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/10.jpg)
Problems
• Permissions are broad and vague; without context
• Users desensitized to permission requests
• Incentives for developers to asks for too many permissions– Adding permissions later requires user action
• Attacker model assumes extensions to be benign
![Page 11: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/11.jpg)
Attacks in the Wild
• Google recently removed ~200 malicious extensions [Oakland’15]– 5% of unique IPs accessing Google had at
least one malicious extension– Some injected ads, others steal personal
information
• Popular extension developers get contacted to sell extension– And then update with malicious code
![Page 12: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/12.jpg)
New Extension System: Goals
1. Handle mutually distrusting code– Extensions are protected from websites– Sensitive (website) user data is protected from
extensionsAttacker executes arbitrary extension to leak user data
2. Provide a meaningful permission system– Safe behavior should not require permission– Permissions should be fine-grained and content-
specific
3. Incentivize safety– Many extensions should not require permissions
![Page 13: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/13.jpg)
Preliminary Design
• Reading sensitive data is safe– if not disseminated arbitrarily
•Mandatory access control (MAC) confinement– Track sensitivity of information through
application
• Proposal: use coarse-grained confinement system like COWL [OSDI’14]
![Page 14: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/14.jpg)
Example: Google Mail Checker
• Extension reads unread count from gmail– Gets tainted with mail.google.com– No further communication with evil.com
allowed
• Not all extensions are this simple– Need richer extension APIs
![Page 15: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/15.jpg)
Explicit Sharing
• Some users want to leak information– Save snippet to Evernote– Share webpage to Pintrest
• Forbidden according to MAC– Corresponds to information declassification
• Leverage user intent with a sharing API– Trusted UI, e.g. “Share with …” context
menu
![Page 16: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/16.jpg)
Encrypted Sharing
• System allows labeled values– Can freely be passed, only tainted when inspected
• Encryption API takes labeled value, returns unlabeled encrypted value– Can now be freely shared, e.g. sync to other device
• Secure LastPass-style password manager– Cloud only sees encrypted values, user controls
master key– When decrypted, passwords cannot leave browser
due to MAC
![Page 17: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/17.jpg)
More APIs
• Declarative CSS API– Change the display of a website
•Networking API– E.g., to block undesired requests (AdBlock)
• DOM access– Isolate extension from website using
shadow DOM
![Page 18: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/18.jpg)
Safe by Default
• When a large class of extensions can be written safely without permissions, warnings can become meaningful again
![Page 19: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/19.jpg)
Conclusion
• Extensions most dangerous to user privacy– This need not be!
• Strong guarantees of MAC-based confinement system allow many extensions to be safe
• Meaningful permissions/warnings otherwise– Fine-grained and content specific, at runtime
![Page 20: The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology](https://reader036.vdocuments.us/reader036/viewer/2022080905/56649d305503460f94a0860a/html5/thumbnails/20.jpg)
Questions?Thank you
:-)