420 likes | 518 Views
An Analysis of the Mozilla Jetpack Extension Framework. Rezwana Karim , Mohan Dhawan , Vinod Ganapathy Computer Science, Rutgers University. Chung-cheih Shan Indiana University. ECOOP ’ 12. 6/1/2012. Browser Extensions. Enhance browser functionality Customize to meet user need
E N D
An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, VinodGanapathy Computer Science, Rutgers University Chung-cheih Shan Indiana University ECOOP’12 6/1/2012
Browser Extensions • Enhance browser functionality • Customize to meet user need • Unrestricted access to privileged resource Rezwana Karim
Problems in legacy extensions www.evil.com Rezwana Karim
Jetpack • Mozilla’s new extension development technology • Extension structured as a collection of modules • Recommends • Principle of Least Authority (POLA) • Privilege separation • Upfront permission specification • Goal : Limit ill effects of vulnerable extensions Rezwana Karim
Structure of Weather extension in Jetpack Main Extension modules Core modules File Network Sensitive resources Rezwana Karim
Modularity does not guarantee security Main File Network Rezwana Karim
Analysis of Jetpack framework • Goal: Verifying conformance to security principles in Jetpack modules • Focus on adherence to POLA and privilege separation • Beacon: Capability flow analysis tool • 36 programming bugs in real-world extensions • 10 instances of POLA violation • Results acknowledged by Mozilla Rezwana Karim
Module Interaction Main var file = require(“file”); file.readFile (“zipCodeFile”); . . . var fileSystemPtr = accessToFileSystem(); exports.readFile = function readFile(fileName){ //read the content of fileName . . . // return the content . . . }; File Rezwana Karim
Capabilities var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; File var fileSystemPtr = require(“File”).fileSystemPtr; Main Rezwana Karim • Privilege to access sensitive resources • Bookmark, cookies, file, password, network etc. • Ways to acquire
Capability leaks • Inadvertent leaks of pointers to privileged resources • Direct references to privileged resources • Functions returning references to privileged resources var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; exports.getFileSystem = function(){ return fileSystemPtr; } File Rezwana Karim
Detecting capability leaks Main File Network Rezwana Karim
Capability flow analysis • Static analysis of JavaScript modules • Information flow • Taint: capability • Source : privileged resource access • Sink: exports interface • Call graph based • Context and Flow insensitive • Static Single Assignment (SSA) representation gives a degree of flow-sensitivity Rezwana Karim
Capability flow in object hierarchy var a = { x : object, y : { p : fileSystemPtr, z : object } } a x y p z Rezwana Karim
Implementation of Beacon Rules for JS to Datalog translation Points-to rules Heap allocation Call graph generator SSA analyzer Inference engine SSA format Initial facts Capability analysis report Taint inference rules Imported module summaries • 2.8k lines of Java, Datalog • Tools Used : WALA, DES Rezwana Karim
Capability flow in object hierarchy var a ={ x : object, y:{ p: fileSystemPtr, z: object } } ptsTo(va, ha) isTainted(ha, file) a heapPtsTo(ha, y, hy) isTainted(hy, file) ptsTo(vy, hy) x y ptsTo(vx, hx) heapPtsTo(ha, x, hx) store(vy, p, vp) heapPtsTo(hy, z, hz) heapPtsTo(hy, p, hp) p z ptsTo(vp, hp) ptsTo(vz, hz) isTainted(hp, file) [Gatekeeper, Guarnieri et al., Usenix Security’09] Rezwana Karim
Evaluation goals • Evaluate Jetpack architecture, adherence to two principles • Privilege separation • Principle of least authority (POLA) • Identify modules • Capability leaks • Violate privilege separation • Overprivileged; violate POLA Rezwana Karim
Evaluation • Over 600 Jetpack modules • 77 core modules • Modules from 359 Jetpack extensions • 68k lines of JavaScript code • Performance • On average, couple of minutes, 200 MB • tab-browser.js (~25 KB) • 30mins and 243MB Rezwana Karim
Capability leak • 36 Leaks in over 600 modules • 12 in 4 core modules • 24 in extension modules Rezwana Karim
Capability leaks: extension module • 24 leaks in 359 extensions None of the leaks are required for functionality Rezwana Karim
Accuracy: Capability leak • No False Positive • May miss some leaks • Dynamic features • Iterator, generator • Unsupported JS constructs • for..each, yield, casestatement over a variable • UnmodeledJS constructs • eval, with • Latent bugs Rezwana Karim
Violation of privilege separation 26 modules in 19 extensions Rezwana Karim
Accuracy: Capability usage • 53 extensions directly use sensitive resources • Beacon detects 46 out of 53 • Missed 7 are in event-handling code Rezwana Karim
Violation of POLA • Beacon generates 18 warnings, 7 false positive Violation instances are fixed by Mozilla Rezwana Karim
Related Work • Information flow analysis of extension • SABRE [Dhawan et al., ACSAC’09] • VEX [Bhandhakavi et al., Usenix Security‘10] • Static analysis of JavaScript • Gatekeeper [Guarnieri et al., Usenix Security’09] • ENCAP [Taly et al., Oakland‘11] • Study of Chrome extension architecture • Chrome extension analysis [Yan et al., NDSS’12] Rezwana Karim
Summary • Beacon, a system for capability flow analysis of JavaScript modules • Analyze Jetpack extension development framework • 36 capability leaks in more than 600 modules • 10 overprivileged core modules • Results acknowledged by Mozilla • Applicable to node.js, Harmony modules Rezwana Karim
Thank you Rezwana Karim
Questions Rezwana Karim
Sensitive resources usage Rezwana Karim
Capability Usage • Top 10 XPCOM interfaces Rezwana Karim
Suggestion • Dynamic enforcement of Manifest • Prevent access of unrequested sensitive resources • Deep freezing of exports object • Prevent leak through event-handlers Rezwana Karim
Template Rezwana Karim
Proof of concept example: Customize-shortcut const {Cc, Ci} = require("chrome"); let Preferences = { branches: {}, .. . getBranch: function (name) { let branch = Cc["@mozilla.org/preferences-service;1"] .getService(Ci.nsIPrefService).getBranch(name); … return this. branches [name] = branch; }, ... }; exports. Preferences = Preferences;
Modular approach Rezwana Karim • Break down extension into modules • JavaScript modules • Implement a certain functionality • Self-contained • Isolated; communicate via module interfaces • Limit vulnerability effect
Capability Usage • Top 10 core modules Rezwana Karim
Datalog relations: points-to analysis Rezwana Karim
JavaScript statement processing Rezwana Karim
Inference Rules Rezwana Karim
Pre-processing(cont’d) • Desugar JS construct • Destructuring assignment, let, const, lambda function • Code simplification Rezwana Karim
Capability flow in object hierarchy var a ={ x : object, y:{ p: fileSystemPtr, z: object } } ptsTo(va, ha) isTainted(ha, file) a heapPtsTo(ha, y, hy) isTainted(hy, file) ptsTo(vy, hy) x y ptsTo(vx, hx) heapPtsTo(ha, x, hx) store(vy, p, vp) heapPtsTo(hy, z, hz) heapPtsTo(hy, p, hp) p z ptsTo(vp, hp) ptsTo(vz, hz) isTainted(hp, file) Rezwana Karim
Capability flow analysis using Datalog [Gatekeeper, Guarnieri et al., Usenix Security’09] Rezwana Karim
Capability flow in object hierarchy var a ={ x : object, y:{ p: fileSystemPtr, z: object } } ptsTo(va, ha) isTainted(ha, file) a heapPtsTo(ha, y, hy) ptsTo(vy, hy) isTainted(hy, file) x y ptsTo(vx, hx) heapPtsTo(ha, x, hx) store(vy, p, vp) heapPtsTo(hy, z, hz) heapPtsTo(hy, p, hp) p z ptsTo(vp, hp) ptsTo(vz, hz) isTainted(hp, file) Rezwana Karim
JavaScript statement processing Rezwana Karim