1

Verified Security for Browser Extensions

Arjun Guha, Matthew Fredrikson, Ben Livshits, and Nikhil SwamyBrown

UniversityUniversity of Wisconsin

MadisonMicrosoft Research

2

3

1. 1/3rd of Firefox users run extensions (~34 million users)

2. Popular Chrome extensions have thousands of users

Curated Extension Gallery

4

EXTENSION SECURITY

5

mailto:joe@cs.brown.edu

https://mail.google.com/mail/?view=cm&tf=1&to=joe@cs.brown.edu&cc=&su=&body=&fs=1

Change mailto: linksChange links to evil.com?

6

Google Dictionary

Service

Sends selected word to Google

evil.com

Send my email to evil.com?

7

Access Control in Chrome"permissions": [ "tabs", "http://www.twitter.com/*", "http://api.bit.ly/",]

2. Extension runs on these URLs

1. Sensitive APIs

Barth et al. Protecting Browsers from Extension Vulnerabilities. NDSS 2010.

8

Policy analysis:Accessible URLs

Access to all data onall websites

1,137 extension policies

Access toall data on one website

2—86 websites

9

30% (of 1,137) have access to your data on all websites

10

Policy analysis:Access to history

FullHistoryAccess

1,137 extension policies

why?

11

"permissions": [ "http://???"]

"permissions": [ "http://*/*"]

11

desired, least-privilege security policy is inexpressible

"permissions": [ "http://???"]

"permissions": [ "http://*/*"]

Rewrite mailto: links on all sites

Sends selected word to Google from any website

12

Access toall websites

Full History Access

Access toall websites

Access to all data onall websites

13

IBEX: Rethinking Browser Extension Security

1. Cross-platform extension model

2. Expressive policies with formal semantics

3. Secure-by-construction extensions

4. Empirical evaluation: 17 varied extensions proved secure

14

Extension in Fine

Type-safe high-level language

15

Developers• Write extension and

policy in Fine• Use tools to ensure

extension conforms to policy

Extension in FineExtension policy

FineVerifier & Compiler

Policy Visualizer

C3Users• Trust curated extension gallery• Install approved extensions

Gallery• Uses tools to ensure

extension conforms to policy• Uses visualizer to help

understand policy

Secure Browser API

ML/F# dialect with a type system for

program verification

16

Extension in FineExtension policy

FineVerifier & Compiler

C3

Secure Browser API

EXAMPLE: ONLY READ TEXT IN <HEAD>

17

type elt

val getInnerText : elt -> string

val getTagName : elt -> string

DOM

API

Native DOM elements, abstract to Fine

Implemented in Browser

18

type elt

val getInnerText : { e:elt | CanRead e } -> string

val getTagName : e:elt -> { s:string | EltTagName e s }

Secu

re D

OM

API

Precondition;DOM permission

Postcondition; DOM predicateONLY READ TEXT IN <HEAD>

19

type elt

val getInnerText : { e:elt | CanRead e } -> string

val getTagName : e:elt -> { s:string | EltTagName e s }

" (e:elt) . EltTagName e "head" CanRead e

Secu

re D

OM

API

Polic

y

20

type elt

val getInnerText : { e:elt | CanRead e } -> string

val getTagName : e:elt -> { s:string | EltTagName e s }

" (e:elt) . EltTagName e "head" CanRead e

let read e = if getTagName e = "head" then getInnerText e else "not <head>"

Secu

re D

OM

API

Code

Polic

y Fine checks pre- and post-conditions statically

1. No manual code audit(only policy audit)

2. No security exceptions (robust) and no runtime overhead (fast)

EltTagName e "head"

21

Predicates Permissions

DocDomain doc string CanReadSelection doc

EltDoc elt doc CanAppend elt

EltTagName elt string CanEdit elt

EltTextValue elt string CanReadValue elt

EltAttr elt string string CanWriteValue elt

EltParent elt elt CanReadAttr elt string

UrlScheme url string CanWriteAttr elt string string

UrlHost url string CanRequest string

UrlPath url string

UrlQuery url list<string * string>

DOM

Network requests

Event handlers, selected text, etc.

various other predicates and permissions

Library of Predicates and Permissions

22

WHAT DOES “SECURE” MEAN?1. Formal Model

2. Policy Visualization

23

FORMAL MODEL1. Formal Model of core browser + reference monitor

• Key element: interaction of extension with JavaScript on page

2. Theorem: well-typed programs do not signal reference monitor errors• Reference monitor not needed• Relies on type soundness of Fine

3. Assumption: tag names and attribute names are public metadata

4. Analysis of security property• Strength: Robust safety in the presence of JavaScript side effects• Weakness: admits collusion between malicious JavaScript on a page

and extension

24

SECURE^

EXAMPLE: FACEBOOK EXTENSION

25

Question: What is the security policy?

Bookmarks my friends’ Websites

26

Can Read Websites

Can Read Names

Principle of

Least Authority

(and ability to bookmark—elided)

27

Can read <a> tags can read links to likes, dislikes, groups, posts, friends, …

Policy: Can read <a> tags

28

Policy: Can read <td class="data"> tags

29

Policy: can read <td class="data"> tags, if adjacent to<th class="label">Website:</th>

" (data:elt), (label:elt) . EltSibling data label && EltAttr label "class" "label" && EltAttr data "class" "data" && EltTextValue label "Website:" CanRead data

30

" (e:elt) . CanReadAttr e "class"

" (label:elt), (labelText:elt) . EltParent labelText label && EltAttr label "class" "label" CanReadValue labelText

" (data:elt),(label:elt), (labelText:elt),(website:elt), (parent:elt) . EltParent data parent && EltParent label parent && EltParent website data && EltParent labelText label && EltAttr label "class" "label" && EltTextValue labelText "Website:" CanReadAttr website "href"

POLICY VISUALIZATION

Can we help extension reviewers read this?

Interpret policies as selectors (e.g., XPath, jQuery, or CSS)

31

32

Curator still needs to read the policy

33

EMPIRICAL EVALUATION

34

Extension Name Limited Extension Behavior

Gmail checker Rewrites “mailto:” links to open Gmail compose page

Dictionary lookup Queries online dictionary with selection; displays definition in a popup

PrintNewYorker Rewrites internal links to go directly to print view

Bookmarking Sends selection to delicious.com

Google Reader client Sends RSS feed links to Google Reader

Facebook miner Sends friends’ Web addresses to delicious.com

JavaScript toolbox Edits selected text

Password manager Stores and retrieves passwords on each page

Magnify under mouse Modifies the CSS on the page

Short URL expander Sends URLs to longurlplease.com

Typography Modifies <input> elements

Precise, fine-grained policies

35

Name Verification Time (sec)

Fine LOC JS LOC

PrintNewYorker 6.2 45

Dictionary lookup 6.6 70

Facebook + Delicious 10.7 142

Password manager 5.7 52

Magnifier 6.0 23

Bookmarking 5.8 19 6,202

Gmail checker 6.5 43 7,647

Google Reader client 6.5 47 1,055

JavaScript toolbox 6.3 19 1,878

Short URL expander 5.2 22 494

Typography 6.2 44 18,458

Twitter Miner 6.4 36

Bing Miner 6.8 35

Netflix Miner 7.7 110

Glue Miner 9.5 101

DOM + Networkauthorization

DOM + history + storage + dataflow (next

presentation)

authorization

Expe

rimen

tal R

esul

ts

36

Developers• Write extension and

policy in Fine• Use tools to ensure

extension conforms to policy

Extension in FineExtension policy

FineVerifier & Compiler

Policy Visualizer

C3Users• Trust curated extension gallery• Install approved extensions

Gallery• Uses tools to ensure

extension conforms to policy• Uses visualizer to help

understand policy

Secure Browser API

Available online: http://research.microsoft.com/fstar

37

Extra slides

38

<html>...<div id="phone">+1 (401) 484-8019</div>...<input type="password" value="redbull64" />...</html>

Policy: "(e:elt).EltAttr e "id" "phone" CanRead e

let e = getElementById "phone"let phoneNumber = getTextValue e Verified Fine code

var phone = document.getElementById("phone");var pass = document.getElementsByTagName("input")[0];phone.innerText = pass.value

JavaScript on the page

let password = getTextValue e Verified Fine code

1. Monotonic policies; no dynamic revocation2. Authorization policies, not information flow

39

+ Z3

Extension code

FINEType-checker &

Compiler

Policy +

C3

DCIL Binary

DCIL Verifier

JavaScript extension

40

Remove friend?!

Curator still needs to read the policy

41

Can we secure existing extensions?

42

Web Page

Web Server

Content script

Extension core

(JavaScript)

Sandbox

Message Passing

HTTP

DOM Interactions

Verified

Chrome Extension Model

Rewrite in Fine