1 / 44

Retargetting Legacy Browser Extensions to Modern Extension Framework

Retargetting Legacy Browser Extensions to Modern Extension Framework. Rezwana Karim , Vinod Ganapathy Computer Science, Rutgers University. Mohan Dhawan IBM Research, India. ECOOP ’ 14. Browser Extension. Enhance browser functionality Customize to meet user need

jackiesoto
Download Presentation

Retargetting Legacy Browser Extensions to Modern Extension Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Retargetting Legacy Browser Extensions to Modern Extension Framework Rezwana Karim, VinodGanapathy Computer Science, Rutgers University Mohan Dhawan IBM Research, India ECOOP’14

  2. Browser Extension • Enhance browser functionality • Customize to meet user need • Hugely popular, ~9000 extensions • 265 million downloads, ~20 million daily usage for AdblockPlus • Unrestricted access to privileged resources Rezwana Karim

  3. Problems in legacy extensions www.evil.com Rezwana Karim

  4. Legacy extension architecture Extension Code (Content Script + Chrome Script) Access sensitive resource Interact with Web pages Web page Sensitive resources Chrome: JavaScript code executing within the extension Content: JavaScript code on the web page Rezwana Karim

  5. Modern extension architecture • Privilege Separation • Principle of least authority (POLA) Chrome Process Content Process Content Scripts Chrome Scripts Invoke content scripts Load content scripts Content Proxy Communicate with content scripts Send/Receive JSON data from chrome scripts manifest Interact with Web pages Access sensitive resources Web page Sensitive resources Rezwana Karim

  6. Modern extension architecture (cont’d) • Goal • Limit ill effect of vulnerability • Ease development process • Example • Mozilla’s Jetpack for Firefox • Google Chrome extension architecture Rezwana Karim

  7. Developer’s expertise affect extension security Insecure programming practice can lead to vulnerabilities in modern extension [Karim et al., ECOOP‘12] Main File Network Rezwana Karim

  8. Problem • Legacy extension is unsafe • ~9000 popular legacy extensions • Modern extension • Enhanced security guarantee • Compatible with future browser architecture • Rewrite from scratch • Not preserving the investment in legacy extension • Manual transformation • Time consuming, labor-intensive • Deep and clear understanding of differences between two programming models • Developing secure, modern extension demands developer’s expertise Rezwana Karim

  9. Morpheus • Automated transformation toolchain • Static dataflow analysis of legacy code • Rewrite code to conform to the structural constraints of modern extensions • Goal • Improve security by adhering to security principles in Jetpack modules • POLA • Privilege separation • Preserve functionality and UI • Successfully ported 52 real-world legacy extensions to modern extension framework Rezwana Karim

  10. Design challenges • Privilege Separation • Principle of Least Authority(POLA) • Policy Enforcement • Fine-grained access control • Prevent/ Block potentially dangerous information flow • Preserve UI

  11. Challenge 1: Privilege Separation • Chrome/content partition • Object context/privilege may vary within a single statement • Synchronous vs. asynchronous communication • Partition monolithic code into isolated JavaScript(JS) modules • Increase the minimum number of modules to be compromised • Minimize privilege-variation in a module • Handle globals resulted from refactoring Rezwana Karim

  12. Chrome/content partition: solution • Static dataflow analysis to identify object’s context • Rewrite property access with accessor • Opaque identifiers for shared objects • Modified content proxy for emulating synchronous communication over asynchronous channel Content contentDocument Asynchronous communication gBrowser.contentDocument Chrome Content Proxy .getProperty(‘contentDocument’) gBrowser Legacy Modern Rezwana Karim

  13. Partition code into modules Analyze legacy code • Core modules • For each privileged browser API • Encapsulate privileged object • User modules • Extracted from legacy code • Ideal: privilege-based partition • Complex analysis • Heuristic: Group related functionality • Capture developer’s intent • Object ownership • GlobalGET/GlobalSET construct for accessing globals Wrap sensitive resource access to use core modules Identify user module and its usage Rewrite references Rezwana Karim

  14. Jetpack architecture in Morpheus • Core module wraps access to sensitive resources Content Process Chrome Process Chrome Scripts Content Scripts Invoke content scripts Load content scripts Content Proxy Communicate with content scripts Send/Receive JSON data from chrome scripts manifest Interact with Web pages Core Modules Policy Checker Access sensitive resources Web page Sensitive resources Rezwana Karim

  15. Challenge 2: Conformance to POLA • Only required modules are imported • No reference leak across module interface • Encapsulate privileged object • Exposes only accessor methods; returns • Primitive values • An instance of a module • Generate Manifest

  16. Module template . . . getProperty: function() { var propertyName = arguments[0]; var violated = policyChecker.check(<core_module_name>, propertyName); if(violated) return {}; var ref = table.getReference(this.id); switch(propertyName) { case’< depends on the core module >’: var retval = ref[propertyName]; var newref = <new_core_module_instance> ; table.setReference(newref.id, retval); return newref; ... /* more case statements */ default: return null; } } . . . Rezwana Karim

  17. Rewriting rules Rule R1: import module ξ is sensitive-resource-access expression m := get-module-name(ξ) ξ′ := require(’m’) Rule R2: method invocation with invoke ξ is method invoke expression in AST T o := object(ξ), o is sensitive OR o is in content μ := method(exp), α := arguments(exp) ξ′ := o.invoke(’μ’, α) Rezwana Karim

  18. Rewriting rules (cont’d) Rule R3: Property access with getProperty, setProperty ξ is property-access expression in AST T o := object(ξ), o is sensitive OR o is in content prop := property(ξ) property-read(T, ξ) ξ′:= o.getProperty(’p’) property-write(T, ξ) v := value-to-store(T, ξ) ξ′:= o.setProperty(’p’, v) Rezwana Karim

  19. Rewriting rules (cont’d) Rule R4: Global Access with GlobalGET, GlobalSET ξ is global-access expression in AST T Global-read(T, ξ) ξ′:= GlobaGET(’ξ’) Global-write(T, ξ) v := value-to-store(T, ξ) ξ′:= GlobaSET(’ξ’, v) Rezwana Karim

  20. Core module usage • Identify sensitive resource usage • Replace with core module main.js var data = fileSystemPtr.read(‘zip.txt’); require(‘file’).module. invoke(‘read’, ‘zip.txt’); file module var file = fileSystemsPtr; var _module_ = { invoke: function(methodName, args){. . . //switch case }, . . .} exports.module = _module_; Rezwana Karim

  21. Extracting user module • Identifies and groups related functionality into a single module main.js function readZipCodeFromFile(location){...} var Weather = { ... getWeatherData:function(zipcode){ ... return Weather.requestDataFromServe(zipcode); }, requestDataFromServer: function(zipcode){...}, } function showWeather(){ ... var temperature = Weather.getWeatherData(zipcode); ... } var Weather = require(‘user/Weather’).module; GlobalSET(’Weather’, Weather); Weather.invoke( ‘getWeatherData’, zipcode); Rezwana Karim

  22. Extracted user module Weather module var _object_ = { ... getWeatherData: function(zipcode){ return GlobalGET(’Weather’).invoke (’requestDataFromServer’, zipcode); }, requestDataFromServer: function(sendData){ ... } } exports.module = wrap(_object_); //wrap() returns object with same interface as in shown in module template Rezwana Karim

  23. Challenge 3: Policy checker Yes α[‘file-path’] allowed? m = ‘file’ p = ‘read’ No Yes α[‘url’] allowed? m = ‘network’ p = ‘open’ CHECK Module: m Property: p ArgList: α No . . . . . . Yes violating source(m’, p’, α’) already accessed? (m, p, α) is sink No Rezwana Karim

  24. Preserve UI • Analyzes legacy extension’s XUL overlay file, resource URI, CSS, icons • Generates JS code to dynamically modify the browser’s UI var sb = document. getElemenById(‘sb’); sb[“onclick”]=function(){ alert(‘Hi’); } <statusbar id=‘sb’ onclick=‘alert(“Hi”)’> ... </statusbar> Legacy XUL code Generated JS code Rezwana Karim

  25. Security properties • Limit vulnerability effect only to compromised module • Increases the minimum number of modules to be compromised Rezwana Karim

  26. Security properties(cont’d) Rezwana Karim

  27. Module level privilege computation Let, P(m) : the set of privileges that can be accessed by a module m m → x : module m has direct access to sensitive resource x mi → mj : module mi imports module mj U: set of user modules mu in an extension, C: set of core modules mc in an extension and U ∩ C = ϕ LP(mu) : leaked privileges from user module mu Core module User module P(m) := { P(x) | m → x} U { LP(mu) | m→mu} U { P(mc) | m→mc} P(m) := P(m) := { P(x) | m → x } { P(mc) | m→mc} { P(mc) | m→mc} U Rezwana Karim

  28. Security analysis of transformed DisplayWeather extension file Main network password.txt Weather file network password Network File Login Manager Policy Checker Sensitive resources Rezwana Karim

  29. Implementation • 13400 lines of JavaScript(JS) • 10,500 lines implementing 100 core modules • 380 lines of Shell script for automation • Tools Used : node.js, doctorJs, narcissus Rezwana Karim

  30. Evaluation • Goals • Correctness of the transformation • Conformance to the POLA • Effectiveness of user module extraction • Effectiveness of policy-checker • Dataset • Extensions developed using JavaScript, HTML, XUL, CSS • 52 Legacy extensions: 50 real-world, 2 synthetic Rezwana Karim

  31. Correctness of transformation • Exercised advertised functionality • Installed the Jetpack extension • Observed the results of interaction with the extension’s UI • All transformed (Jetpack) extensions retains advertised functionality Rezwana Karim

  32. Conformation to POLA • Violation of POLA if: • Module a leaks references to privileged objects • Module b imports module a • Module b becomes more privileged and violates POLA • Used Beaconto verify that no module leak reference to privileged objects [Karim et al., ECOOP‘12] Rezwana Karim

  33. Effectiveness of user module extraction • Privilege separation in user modules Number of Core Modules Rezwana Karim

  34. Modules accessing multiple categories of core modules Categories I : Application II: Browser III: DOM IV: I/O V: Security VI: Misc. Rezwana Karim

  35. Runtime policy checking

  36. Summary • Thousands of popular extensions built on Legacy extension architecture are unsafe • Modern extension architecture enhances security • Manual transformation is tedious, error-prone, requires deep knowledge • Morpheus, an automated toolchain • Systematically transforms legacy extension code into JavaScript modules that satisfy the security principle • Introduces a policy checker framework • Successfully ported 52 popular legacy extensions Rezwana Karim

  37. Thank you rkarim@cs.rutgers.edu

  38. Related work • Information flow analysis of extension • SABRE [Dhawan et al., ACSAC’09] • VEX [Bhandhakavi et al., Usenix Security‘10] • Static analysis of JavaScript • Gatekeeper [Guarnieri et al., Usenix Security’09] • ENCAP [Taly et al., Oakland‘11] • Study of Chrome extension architecture • Chrome extension analysis [Yan et al., NDSS’12] • Runtime Policy enforcement • Sentinel [Onarliuglu et al., DIMVA’13] • Malware extensions[Louw et al., Journal of Computer Virology’08] • Privilege Separation • Privtrans [Brumley et al., Usenix Security’04] • Swift [Chong et al., SigOPS OP. Sys. Rev.] Rezwana Karim

  39. Transforming legacy code Sensitive resource invoke Rewrite with ‘require’ o := object(ξ) o is sensitive ORo is in content Rewrite with ‘getProperty’/ ’setProperty’ Property access Node n in AST Expression ξ o := object(ξ) o is sensitive ORo is in content Rewrite with ‘invoke’ Method invoke Rewrite with ‘require’ Extract User module Object Literal Rewrite with ‘GlobalGET’ / ‘GlobalSET’ Global access Rezwana Karim

  40. Future directions • Performance optimization of transformed extension • Code maintenance and improve readability • Verifying program transformation • Consider access to sensitive resources in modules construction • Use modules provided by Jetpack framework Rezwana Karim

  41. Legacy vs modern extension: Architectural differences Chrome: JavaScript code executing within the extension Content: JavaScript code on the web page Rezwana Karim

  42. Module level privilege computation Let, P(m) : the set of privileges that can be accessed by a module m m → x : module m has direct access to sensitive resource x mi → mj : module mi imports module mj U: set of user modules mu in an extension, C: set of core modules mc in an extension and U ∩ C = ϕ LP(mu) : leaked privileges from user module mu P(m) := { P(x) | m → x} U { LP(mu) | m→mu} U { P(mc) | m→mc} Rezwana Karim

  43. Core module privilege • P5: Only core module can directly access a sensitive resource • P6: Each module exports only an opaque identifier and accessormethods • P7: Core modules can not import any user module • P9: Reference to the sensitive objects are stored within a designated module P(m) := { P(x) | m → x } { P(x) | m → x } { LP(mu) | m→mu } U x: sensitive resource mu: user module mc: is core module { P(mc) | m→mc} U Rezwana Karim

  44. User module privilege • P5: Only core module can directly access a sensitive resource • P8: Each module exports only an opaque identifier and accessor methods P(m) := { P(x) | m → x } { LP(mu) | m→mu } U x: sensitive resource mu: user module mc: is core module { P(mc) | m→mc} U Rezwana Karim

More Related