1 / 42

An Analysis of the Mozilla Jetpack Extension Framework

An Analysis of the Mozilla Jetpack Extension Framework. Rezwana Karim , Mohan Dhawan , Vinod Ganapathy Computer Science, Rutgers University. Chung-cheih Shan Indiana University. ECOOP ’ 12. 6/1/2012. Browser Extensions. Enhance browser functionality Customize to meet user need

manning
Download Presentation

An Analysis of the Mozilla Jetpack Extension Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, VinodGanapathy Computer Science, Rutgers University Chung-cheih Shan Indiana University ECOOP’12 6/1/2012

  2. Browser Extensions • Enhance browser functionality • Customize to meet user need • Unrestricted access to privileged resource Rezwana Karim

  3. Problems in legacy extensions www.evil.com Rezwana Karim

  4. Jetpack • Mozilla’s new extension development technology • Extension structured as a collection of modules • Recommends • Principle of Least Authority (POLA) • Privilege separation • Upfront permission specification • Goal : Limit ill effects of vulnerable extensions Rezwana Karim

  5. Structure of Weather extension in Jetpack Main Extension modules Core modules File Network Sensitive resources Rezwana Karim

  6. Modularity does not guarantee security Main File Network Rezwana Karim

  7. Analysis of Jetpack framework • Goal: Verifying conformance to security principles in Jetpack modules • Focus on adherence to POLA and privilege separation • Beacon: Capability flow analysis tool • 36 programming bugs in real-world extensions • 10 instances of POLA violation • Results acknowledged by Mozilla Rezwana Karim

  8. Module Interaction Main var file = require(“file”); file.readFile (“zipCodeFile”); . . . var fileSystemPtr = accessToFileSystem(); exports.readFile = function readFile(fileName){ //read the content of fileName . . . // return the content . . . }; File Rezwana Karim

  9. Capabilities var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; File var fileSystemPtr = require(“File”).fileSystemPtr; Main Rezwana Karim • Privilege to access sensitive resources • Bookmark, cookies, file, password, network etc. • Ways to acquire

  10. Capability leaks • Inadvertent leaks of pointers to privileged resources • Direct references to privileged resources • Functions returning references to privileged resources var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr; exports.getFileSystem = function(){ return fileSystemPtr; } File Rezwana Karim

  11. Detecting capability leaks Main File Network Rezwana Karim

  12. Capability flow analysis • Static analysis of JavaScript modules • Information flow • Taint: capability • Source : privileged resource access • Sink: exports interface • Call graph based • Context and Flow insensitive • Static Single Assignment (SSA) representation gives a degree of flow-sensitivity Rezwana Karim

  13. Capability flow in object hierarchy var a = { x : object, y : { p : fileSystemPtr, z : object } } a x y p z Rezwana Karim

  14. Implementation of Beacon Rules for JS to Datalog translation Points-to rules Heap allocation Call graph generator SSA analyzer Inference engine SSA format Initial facts Capability analysis report Taint inference rules Imported module summaries • 2.8k lines of Java, Datalog • Tools Used : WALA, DES Rezwana Karim

  15. Capability flow in object hierarchy var a ={ x : object, y:{ p: fileSystemPtr, z: object } } ptsTo(va, ha) isTainted(ha, file) a heapPtsTo(ha, y, hy) isTainted(hy, file) ptsTo(vy, hy) x y ptsTo(vx, hx) heapPtsTo(ha, x, hx) store(vy, p, vp) heapPtsTo(hy, z, hz) heapPtsTo(hy, p, hp) p z ptsTo(vp, hp) ptsTo(vz, hz) isTainted(hp, file) [Gatekeeper, Guarnieri et al., Usenix Security’09] Rezwana Karim

  16. Evaluation goals • Evaluate Jetpack architecture, adherence to two principles • Privilege separation • Principle of least authority (POLA) • Identify modules • Capability leaks • Violate privilege separation • Overprivileged; violate POLA Rezwana Karim

  17. Evaluation • Over 600 Jetpack modules • 77 core modules • Modules from 359 Jetpack extensions • 68k lines of JavaScript code • Performance • On average, couple of minutes, 200 MB • tab-browser.js (~25 KB) • 30mins and 243MB Rezwana Karim

  18. Capability leak • 36 Leaks in over 600 modules • 12 in 4 core modules • 24 in extension modules Rezwana Karim

  19. Capability leaks: extension module • 24 leaks in 359 extensions None of the leaks are required for functionality Rezwana Karim

  20. Accuracy: Capability leak • No False Positive • May miss some leaks • Dynamic features • Iterator, generator • Unsupported JS constructs • for..each, yield, casestatement over a variable • UnmodeledJS constructs • eval, with • Latent bugs Rezwana Karim

  21. Violation of privilege separation 26 modules in 19 extensions Rezwana Karim

  22. Accuracy: Capability usage • 53 extensions directly use sensitive resources • Beacon detects 46 out of 53 • Missed 7 are in event-handling code Rezwana Karim

  23. Violation of POLA • Beacon generates 18 warnings, 7 false positive Violation instances are fixed by Mozilla Rezwana Karim

  24. Related Work • Information flow analysis of extension • SABRE [Dhawan et al., ACSAC’09] • VEX [Bhandhakavi et al., Usenix Security‘10] • Static analysis of JavaScript • Gatekeeper [Guarnieri et al., Usenix Security’09] • ENCAP [Taly et al., Oakland‘11] • Study of Chrome extension architecture • Chrome extension analysis [Yan et al., NDSS’12] Rezwana Karim

  25. Summary • Beacon, a system for capability flow analysis of JavaScript modules • Analyze Jetpack extension development framework • 36 capability leaks in more than 600 modules • 10 overprivileged core modules • Results acknowledged by Mozilla • Applicable to node.js, Harmony modules Rezwana Karim

  26. Thank you Rezwana Karim

  27. Questions Rezwana Karim

  28. Sensitive resources usage Rezwana Karim

  29. Capability Usage • Top 10 XPCOM interfaces Rezwana Karim

  30. Suggestion • Dynamic enforcement of Manifest • Prevent access of unrequested sensitive resources • Deep freezing of exports object • Prevent leak through event-handlers Rezwana Karim

  31. Template Rezwana Karim

  32. Proof of concept example: Customize-shortcut const {Cc, Ci} = require("chrome"); let Preferences = { branches: {}, .. . getBranch: function (name) { let branch = Cc["@mozilla.org/preferences-service;1"] .getService(Ci.nsIPrefService).getBranch(name); … return this. branches [name] = branch; }, ... }; exports. Preferences = Preferences;

  33. Modular approach Rezwana Karim • Break down extension into modules • JavaScript modules • Implement a certain functionality • Self-contained • Isolated; communicate via module interfaces • Limit vulnerability effect

  34. Capability Usage • Top 10 core modules Rezwana Karim

  35. Datalog relations: points-to analysis Rezwana Karim

  36. JavaScript statement processing Rezwana Karim

  37. Inference Rules Rezwana Karim

  38. Pre-processing(cont’d) • Desugar JS construct • Destructuring assignment, let, const, lambda function • Code simplification Rezwana Karim

  39. Capability flow in object hierarchy var a ={ x : object, y:{ p: fileSystemPtr, z: object } } ptsTo(va, ha) isTainted(ha, file) a heapPtsTo(ha, y, hy) isTainted(hy, file) ptsTo(vy, hy) x y ptsTo(vx, hx) heapPtsTo(ha, x, hx) store(vy, p, vp) heapPtsTo(hy, z, hz) heapPtsTo(hy, p, hp) p z ptsTo(vp, hp) ptsTo(vz, hz) isTainted(hp, file) Rezwana Karim

  40. Capability flow analysis using Datalog [Gatekeeper, Guarnieri et al., Usenix Security’09] Rezwana Karim

  41. Capability flow in object hierarchy var a ={ x : object, y:{ p: fileSystemPtr, z: object } } ptsTo(va, ha) isTainted(ha, file) a heapPtsTo(ha, y, hy) ptsTo(vy, hy) isTainted(hy, file) x y ptsTo(vx, hx) heapPtsTo(ha, x, hx) store(vy, p, vp) heapPtsTo(hy, z, hz) heapPtsTo(hy, p, hp) p z ptsTo(vp, hp) ptsTo(vz, hz) isTainted(hp, file) Rezwana Karim

  42. JavaScript statement processing Rezwana Karim

More Related