AN EVALUATION OF THE GOOGLE CHROME EXTENSION … · THE GOOGLE CHROME EXTENSION SECURITY...
Transcript of AN EVALUATION OF THE GOOGLE CHROME EXTENSION … · THE GOOGLE CHROME EXTENSION SECURITY...
AN EVALUATION OF THE GOOGLE CHROMEEXTENSION SECURITYARCHITECTURE
Nicholas Carlini, Adrienne Porter Felt, David WagnerUniversity of California, Berkeley
browser APIhistory bookmarks
client-sidewebsite
WEB ATTACKER
servers
client-sidewebsite
servers
extension
WEB ATTACKER
browser API
servers
client-sidewebsite
servers
history bookmarks
extension
client-sidewebsite
browser APIhistory bookmarks
client-sidewebsite
client-sidewebsite
NETWORK ATTACKER
servers servers
extension
NETWORK ATTACKER
browser API
servers
client-sidewebsite
servers
history bookmarks
extension
client-sidewebsite
PRIVILEGE SEPARATION
browser API
servers
client-sidewebsite
content script core extension
servers
history bookmarks
extension
ISOLATED WORLDS
browser API
servers
client-sidewebsite
content script core extension
servers
history bookmarks
extensionclient-side
website
content script
browser API
PERMISSIONS
servers
client-sidewebsite
content script core extension
server
history bookmarks
extensionclient-side
website
server
FINDING BUGS
SAMPLE50 most popular + 50 random extensions
METHODSBlack-box testing + source code analysis
VERIFICATIONBuilt exploits to confirm the vulnerabilities
VULNERABILITIES
VulnerabilityLocation
Web Attacker
Network Attacker
Core 5 50
Content Script
3 1
Website 6 14
70 vulnerabilities in 40 extensions
DATA AS HTML
MISTAKEInsert data as HTML, where it can execute
MITIGATIONWill execute in website’s isolated world
VULNERABILITIES6 extensions have data-as-HTML bugs that don’t cause content script vulnerabilities
EVAL
MISTAKEUse eval to execute untrusted data
MITIGATIONIsolated worlds does not mitigate this bug
VULNERABILITIES2 vulnerabilities due to this mistake
CLICK INJECTION
MISTAKETrusting event handlers on a website
MITIGATIONIsolated worlds does not mitigate this bug
VULNERABILITIES1 vulnerability due to this mistake
PRIVILEGE SEPARATION
browser API
client-sidewebsite
content script core extension
history bookmarks
extension
PRIVILEGE “LEAKAGE”
Permissions Extensions
All of the extensions’ 7%
Partial: XHRs 15%
Partial: tab control 8%
Partial: other 8%
(Of the 61 extensions with content scripts)
Privilege separation would
fully protect most core
extensions, but a third of
developers circumvent it
METADATA ATTACK
browser API
servers
client-sidewebsite
content script core extension
history bookmarks
extension
METADATA ATTACK
browser API
servers
client-sidewebsite
content script core extension
history bookmarks
extension
5 metadata attacks
HTTP SCRIPTS/XHRS
browser API
client-sidewebsite
content script core extension
servers
history bookmarks
extension
HTTP SCRIPTS/XHRS
browser API
client-sidewebsite
content script core extension
servers
history bookmarks
extension
16 HTTP XHRs28 HTTP scripts
POTENTIAL BANS
RestrictionSecurity Benefit
Broken, But Fixable
Broken And Unfixable
No HTTP scripts in cores
15% 15% 0%
No inline scripts 15% 79% 0%
No eval 3% 30% 2%
No HTTP XHRs 17% 29% 14%
ADOPTION
RestrictionSecurity Benefit
Broken, But Fixable
Broken And Unfixable
No HTTP scripts in cores
15% 15% 0%
No inline scripts 15% 79% 0%
No eval 3% 30% 2%
No HTTP XHRs 17% 29% 14%
ADOPTION
RestrictionSecurity Benefit
Broken, But Fixable
Broken And Unfixable
Chrome 18 policy
27% 85% 2%
CONCLUSION
• Isolated worlds prevents common bugs
• Some developers don’t use privilege separation optimally
• Permissions reduce scope of vulns
• Recommend banning unsafe practices to protect core extensions