1 / 42

Verified Security for Browser Extensions

Verified Security for Browser Extensions. Arjun Guha, Matthew Fredrikson, Ben Livshits, and Nikhil Swamy. Brown University. University of Wisconsin Madison. Microsoft Research. Curated Extension Gallery. 1/3 rd of Firefox users run extensions (~34 million users)

chogan
Download Presentation

Verified Security for Browser Extensions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verified Security for Browser Extensions Arjun Guha, Matthew Fredrikson, Ben Livshits, and Nikhil Swamy Brown University University of WisconsinMadison Microsoft Research

  2. Curated Extension Gallery 1/3rd of Firefox users run extensions (~34 million users) Popular Chrome extensions have thousands of users

  3. Extension Security

  4. Change mailto: links mailto:joe@cs.brown.edu Change links to evil.com? https://mail.google.com/mail/?view=cm&tf=1&to=joe@cs.brown.edu&cc=&su=&body=&fs=1

  5. Google Dictionary Service evil.com Send my email to evil.com? Sends selected word to Google

  6. Access Control in Chrome "permissions": [ "tabs", "http://www.twitter.com/*", "http://api.bit.ly/", ] 1. Sensitive APIs 2. Extension runs on these URLs Barth et al. Protecting Browsers from Extension Vulnerabilities. NDSS 2010.

  7. Policy analysis:Accessible URLs Access to all data on all websites Access toall data on one website 2—86 websites 1,137 extension policies

  8. 30% (of 1,137) have access to your data on all websites

  9. Policy analysis:Access to history why? Full History Access 1,137 extension policies

  10. Rewrite mailto: links on all sites Sends selected word to Google from any website "permissions": [ "http://???" ] "permissions": [ "http://*/*" ] desired, least-privilege security policy is inexpressible "permissions": [ "http://*/*" ] "permissions": [ "http://???" ] 11

  11. Full History Access Access to all websites Access to all data on all websites Access to all websites

  12. IBEX: Rethinking Browser Extension Security • Cross-platform extension model • Expressive policies with formal semantics • Secure-by-construction extensions • Empirical evaluation: 17 varied extensions proved secure

  13. Extension in Fine Type-safe high-level language

  14. Extension in Fine Extension policy • Developers • Write extension and policy in Fine • Use tools to ensure extension conforms to policy ML/F# dialect with a type system for program verification Fine Verifier & Compiler Secure Browser API Policy Visualizer • Gallery • Uses tools to ensure extension conforms to policy • Uses visualizer to help understand policy • Users • Trust curated extension gallery • Install approved extensions C3

  15. Extension in Fine Extension policy Fine Verifier & Compiler Example: Only Read text in <head> Secure Browser API C3

  16. Native DOM elements, abstract to Fine type elt valgetInnerText : elt -> string valgetTagName : elt -> string DOM API Implemented in Browser

  17. type elt valgetInnerText : { e:elt | CanRead e } -> string valgetTagName : e:elt -> { s:string | EltTagName e s } Secure DOM API Precondition; DOM permission Postcondition; DOM predicate Only Read text in <head>

  18. type elt • valgetInnerText : • { e:elt | CanRead e } • -> string • valgetTagName : • e:elt • -> { s:string | EltTagName e s } • (e:elt) . EltTagName e "head" CanReade Secure DOM API Policy

  19. type elt • valgetInnerText : • { e:elt | CanRead e } • -> string • valgetTagName : • e:elt • -> { s:string | EltTagName e s } • (e:elt) . EltTagName e "head" CanReade • let read e = • if getTagNamee = "head" then • getInnerTexte • else • "not <head>" Secure DOM API Fine checks pre- and post-conditions statically Policy  EltTagName e "head" No manual code audit(only policy audit) No security exceptions (robust) and no runtime overhead (fast) Code

  20. Library of Predicates and Permissions DOM Network requests Event handlers, selected text, etc. various other predicates and permissions

  21. What Does “Secure” Mean? Formal Model Policy Visualization

  22. Formal Modelof core browser + reference monitor • Key element: interaction of extension with JavaScript on page • Theorem:well-typed programs do not signal reference monitor errors • Reference monitor not needed • Relies on type soundness of Fine • Assumption: tag names and attribute names are public metadata • Analysis of security property • Strength: Robust safety in the presence of JavaScript side effects • Weakness: admits collusion between malicious JavaScript on a page and extension Formal Model

  23. Example: FaceBookExtension SECURE ^

  24. Question: What is the security policy? Bookmarks my friends’ Websites

  25. Can Read Names Can Read Websites (and ability to bookmark—elided) Principle of Least Authority

  26. Policy: Can read <a> tags Can read <a> tags  can read links to likes, dislikes, groups, posts, friends, …

  27. Policy: Can read <td class="data"> tags

  28. Policy: can read <td class="data"> tags, if adjacent to <th class="label">Website:</th>  (data:elt), (label:elt) . EltSibling data label && EltAttr label "class" "label" && EltAttrdata "class" "data" && EltTextValuelabel "Website:" CanRead data

  29.  (e:elt) . CanReadAttr e "class"  (label:elt), (labelText:elt) . EltParentlabelText label && EltAttr label "class" "label" CanReadValuelabelText  (data:elt),(label:elt), (labelText:elt),(website:elt), (parent:elt) . EltParent data parent && EltParent label parent && EltParent website data && EltParentlabelText label && EltAttr label "class" "label" && EltTextValuelabelText "Website:" CanReadAttr website "href" Policy Visualization Interpret policies as selectors (e.g., XPath, jQuery, or CSS) Can we help extension reviewers read this?

  30. Curator still needs to read the policy

  31. Empirical Evaluation

  32. Precise, fine-grained policies

  33. DOM + Network authorization Experimental Results authorization DOM + history + storage + dataflow (next presentation)

  34. Extension in Fine Extension policy • Developers • Write extension and policy in Fine • Use tools to ensure extension conforms to policy Fine Verifier & Compiler Secure Browser API Policy Visualizer • Gallery • Uses tools to ensure extension conforms to policy • Uses visualizer to help understand policy • Users • Trust curated extension gallery • Install approved extensions C3 Available online: http://research.microsoft.com/fstar

  35. Extra slides

  36. Policy: (e:elt).EltAttre "id" "phone" CanRead e <html> ... <div id="phone">+1 (401) 484-8019</div> ... <input type="password" value="redbull64" /> ... </html> let e = getElementById "phone" let phoneNumber = getTextValue e Verified Fine code var phone = document.getElementById("phone"); var pass = document.getElementsByTagName("input")[0]; phone.innerText = pass.value JavaScript on the page Verified Fine code let password = getTextValue e Monotonic policies; no dynamic revocation Authorization policies, not information flow

  37. + Extension code Policy FINE Type-checker & Compiler + Z3 DCIL Binary JavaScript extension DCIL Verifier C3

  38. Curator still needs to read the policy Remove friend?!

  39. Can we secure existing extensions?

  40. Chrome Extension Model Content script DOM Interactions Verified Web Page Rewrite in Fine Message Passing Sandbox Extension core (JavaScript) HTTP Web Server

More Related