VEX: Vetting Browser Extensions For Security Vulnerabilities

VEX: Vetting Browser Extensions For Security Vulnerabilities

VEX: Vetting Browser Extensions For Security Vulnerabilities Sruthi Bandhakavi Samuel T. King P. Madhusudan Marianne Winslett University of Illinois at Urbana Champaign fsbandha2,kingst,madhu,[email protected] Presented by Doron Tromer Introduction What is VEX in a few words ? A framework for highlighting potential security vulnerabilities in browser extensions by applying static information-ow analysis to the JavaScript code used to implement extensions.

2 Browser Extensions What are they? A browser extension is a computer program that extends the functionality of a web browser in some way. Extensions can be used to modify the behavior of existing features of the application or add entirely new features. Extensions are especially popular with Firefox, because Mozilla developers intend for the browser to be a fairly minimalistic application in order to reduce software bloat and bugs, while retaining a high degree

of extensibility. 3 Mozilla Firefox Extensions Extension technologies: HTML, CSS, DOM, JavaScript, XPCOM, XPConnect, XPI, XUL, Mozilla JetPack Uses of extensions in Firefox: adding features - RSS readers, bookmark organizers, toolbars, FTP, Firebug, HttpFox modifying how the user views web pages Adblock, Greasemonkey Plugins - Acrobat Reader, Flash Player, Windows Media

Player 4 Mozilla privilege levels Page - for web pages displayed in the browsers content window. restrictive - a page loaded from site x cannot access content from sites other than x Chrome - for elements belonging to Firefox and its extensions. Gives access to: all browser states and events OS resources

all web pages Extensions have full chrome privileges by using an API called the XPCOM Components to extension JavaScript, thereby allowing the .extensions to have access to all the resources Firefox can access 5 .Mozilla privilege levels cont Chrome Page 6 privilege issues

Extensions can: Access objects that run with page privileges and interact with page content. Access objects that run with full chrome privileges. Include user interface components via a chrome document, which also runs with full chrome privileges: window.content.document. Thus, it can Lead to execution of remote code in privileged context, e.g. RSS reader extension takes the content of the RSS feed (HTML code) and insert it into the extension window. 7 Vulnerabilities in Browser Extensions

Extensions might be malicious and exploit the full privileges. But even extensions written with benign intent can have subtle vulnerabilities that expose the user to a disastrous attack from the web. mostly by injecting JavaScript into a data item that is executed by the extension under full browser privileges. :Doing so attackers can take over the browser steal cookies or protected passwords compromise condential information hijack the host system

8 What is done today regarding these vulnerabilities Mozilla provides a set of security primitives to extension developers the goal: reducing the attack surface for extensions. disadvantages: discretionary primitives, difcult to understand and use correctly.

Example: evalInSandbox (text, sandbox) 9 What is done today regarding these vulnerabilities cont. The research community propose dynamic techniques such as SABRE system the goal: improving the security of extensions. how is it done: The SABRE system tracks JavaScript objects to prevent extensions from accessing sensitive information unsafely (using security labels for every JavaScript object inside the browser).

pros: SABRE can prevent potentially malicious ows from both exploited extensions and from malicious extensions. cons: overhead (SunSpider - 6.1x, V8 JavaScript - 2.36x). security violation notication: users must determine if a particular ow is malicious or benign. Determining whether extensions are malicious or harbor security vulnerabilities is a hard problem 10 Assumptions in VEX 1. The developer isnt malicious, but he could write

incorrect code that contains vulnerabilities. 2. There are no bugs in the browser itself. 3. There are no bugs in other browser extensibility mechanisms, such as plug-ins. 11 Attack models considered 1. Attacks that originate from web sites. The attacker can send arbitrary HTML and JavaScript to the users browser, that might lead to code injection or

privilege escalation through buggy extensions. 2. In the second model some web sites are considered trusted. 12 Points of attack VEX focuses on vulnerable points for code injection and privilege escalation attacks: Eval: interprets string data as JavaScript and executes it dynamically. InnerHTML: each HTML element for a page has an innerHTML property that denes the text that occurs between that elements tags. Extensions can change DOM (document object model)

elements, or add new ones. EvalInSandbox: execution of JavaScript in the extensions context with restricted privileges. WrappedJSObject: lets the extension access modied properties of the document object, even when automatic wrapping is on. 13 Information ow A variable A is said to depend on another variable B in a procedure if there is a path such that the value of B can cause the value of A to change we also say that there is a flow from variable B to variable A

types of dependencies: strongly dependent: A = B + 1 weakly dependent: if (condition) A = B + 1 conditionally dependent: if (B > 0) A = 0 Information Flow Analysis (also called variable dependency analysis) is a study of the interdependencies of the program variables 14 Suspicious ow patterns tracked by VEX From content document data to eval. From content document data to innerHTML.

From Resource Description Framework (RDF) data to innerHTML. 4. EvalInSandbox return objects used improperly by code running with chrome privileges. 5. WrappedJSObject return object used improperly by code running with chrome privileges. These ows: Dont always result in a vulnerability. Are not all of the possible extension security bugs. 1. 2. 3. 15

An example for a suspicious ow pattern A ow from content document data to eval Wikipedia Toolbar, up to version 0.5.9 16 VEXs work ow scheme 17 VEXs anticipated contribution Such ow patterns may occur in only a few of the extensions

that use these constructs. Mozilla offers an open-source automatic tool to help with reviews (see it just greps for strings that indicate dangerous patterns. then the reviewer needs to manually check all of the suspect extensions. this checking is difficult and error-prone. VEX is designed to help vetting the ows automatically , greatly reducing the number of extensions that need to be manually reviewed. 18 Static information ow analysis

VEX is a general explicit information flow static analysis tool Computes ows between any source and sink. Tracks the precise dependencies of ows from variables to objects created in the JavaScript extension. This is a difficult task: large number of objects and functions. there are program dened objects as well as objects of DOM and of the extension (using XPCOM components) the objects are dynamic. new object properties can be created dynamically at run-time. functions are objects in JavaScript, they can be created, redened dynamically, and passed as parameters.

19 Abstract Heaps The analysis uses an abstract heap (AH) the analysis keeps track of one abstract heap at each program point. VEX creates a node for every: object function Property Ignores the exact primitive values in the heap. The AH records explicit-ow dependencies to heap nodes. 20

Abstract Heaps cont. A denition: Pvar A set of all the program variables An abstract heap is a tuple: (ns,n,d,fr,dm,tm) ns - a set of heap locations. - represents the current node. - represents the subset of program variables that ow in to the current node n. - encodes the pointers representing properties (elds).

What does mean? 21 Abstract Heaps cont. - a relation that denotes a dependency map. What does mean?

- a this-map relation, which is actually the relation of a function. What does mean? 22 A core subset of JavaScript Reects the aspects of JavaScript, omitting certain features

(such as eval) 23 The rules Big step operational semantics on abstract heaps: A relation prog - an program expression or statement - the initial abstract heap - the abstract heap obtained from the complete evaluation of prog starting from the heap

This resulting heap, in every iteration, will be merged with the current heap, conservatively taking the union of dependencies. 24 Evaluating expressions 25 Evaluating expressions cont. What happens to the AH when

evaluating a constant? the only change is that the current node isnt a heap location, and there isnt . any program variable that ow into it Thus: Rule (CONSTANT) evaluates to a node with empty dependencies: 26 Evaluating expressions cont. What happens to the AH when

evaluating this? the current node is the node that is the .scope of the current node the program variables that ow into the current node are the those who ow .into the scope of the current node Thus: Rule (THIS) extracts the scope of the current node 27

Evaluating expressions cont. What happens to the AH when evaluating a variable access? There are 3 kinds of variable accesses: local JavaScript variables declared global JavaScript variables undeclared variables automatically global 28

Evaluating expressions cont. Thus, rst the existence property x is checked in the current scope if it exists, the current node is the node of the variable, and so is the d part of AH Otherwise, the global node is checked for property x -if it exists, the same happens 29

Evaluating expressions cont. Otherwise (not in the current or global scope), a new node is created and added to the global scope: a new heap location is created a new node is created its dependency is empty the existence property of x in the global heap is added to the fr the fact that the scope of the new node is the global heap, is added to this-map

30 Evaluating expressions cont. What happens to the AH when evaluating a field access? if the variable x already exists in one of the heaps, and the eld f of the node resulted from the variable access evaluation :may be located in the eld node, then all the sets, maps and relations resulted by the evaluation are those of the AH resulted

from the evaluation of the variable x only two additions: the current node is the one of the eld, and the dependencies includes the program variables that ow into 31 Evaluating expressions cont. Otherwise (if the variable x exists but the eld node doesnt) a new is created and added to the AH with the variable x : a new heap location is created a new node is created the dependencies are those of the AH

resulted from the variable evaluation the existence property of f in the AH with x is added to the fr the fact that the scope of the new node is the node representing x, is added to this-map 32 Evaluating expressions cont. What happens to the AH when evaluating a binary operation? the new AH is the union of dependencies

of both the expressions includes union of heap locations, dependencies, frs, dependency maps and this-maps. The current node is a new node .representing the operation 33 Evaluating expressions cont. What happens to the AH when evaluating a object literal? example:

a summary is computed by recursively creating heap locations for each of its properties. 34 Evaluating expressions cont. What happens to the AH when evaluating a function definition? like with object literals, except that new summary locations are created for each of the function .arguments and also for the return variable

the function body is evaluated with respect to .the new heap the result of the evaluation is the new heap with the function summary attached to the node of the return value. 35 Evaluating expressions cont. What happens to the AH when evaluating a function call? uses this summary to compute the node and dependencies of the return value.

the return value of the function can be obtained by evaluating each of the function argument expressions, and replacing the appropriate nodes in the function summary with the values returned. if the function is not dened, then the dependencies of the return values are the union of dependencies of the individual function parameters. 36 Evaluating statements 37

Evaluating statements cont. What happens to the AH when evaluating skip and sequence statements? What happens to the AH when evaluating a variable declaration? a new node is created in the current scope. if the heap node for that variable already exists, it is replaced by this new node. 38

Evaluating statements cont. What happens to the AH when evaluating assignment statements? the left hand side and the right hand side expressions are evaluated, and the node on the left hand side is replaced with the node on the right hand side. 39 Evaluating statements cont. What happens to the AH when evaluating conditionals?

they are not evaluated as our heaps are symbolic What happens to the AH when evaluating a return statement? If evaluation of e with the AH results in , then the AH after .returning e is the same, with the emphasis on the change in fr 40 Evaluating statements cont. What happens to the AH when evaluating while statements? while statements, like conditionals, are not evaluated as our heaps are symbolic

the while body is evaluated until we reach a xed point (or until we reach a xed number of loop un-rollings) the abstract heap is also allowed to immediately go across a while-loop The analyze begins with an initial state consisting of a global heap (with summaries for a few built-in objects like Array) The evaluation of the rules either proceed until we converge on a least xed-point, or until we reach a preset bound on the number of iterations 41 Handling other features of JavaScript Dynamic code (eval):

an accurate analysis of the structure of dynamically created code is too complex furthermore, eval statements cannot be simply ignored VEX implements a static constant-string analysis for strings, and subject the strings that are eval-ed to this analysis Strings that are not statically known but subject to eval are essentially ignored innerHTML: creating a symbolic representation of the source, computing summaries

of innerHTML and allowing outside methods to instantiate the symbolic source to a concrete source in whichever context it becomes available. 42 Notes about the analysis The analysis is: Flow-sensitive: takes into account the order of statements in a program. Path-sensitive: computes different pieces of analysis information dependent on the predicates at conditional branch instructions. Context-sensitive: interprocedural analysis that considers the calling context when analyzing the target of a function call.

43 Notes about the analysis cont. Unsoundness: a static analysis tool like VEX is inherently conservative if VEX reports a ow, there may be no such feasible ow in the program (false positives) Incompleteness false negatives are also possible because of several unsummarized objects VEX has several sources of unsoundness and incompleteness: eval

prototypes higher-order functions xed number of unrolls of loops exceptions 44 Evaluation: VEX implementation VEX: is implemented in Java (2000 LOC) utilizes a JavaScript parser built using the ANTLR parser generator for the JavaScript 1.5 grammar. ANTLR outputs Java-based Abstract Syntax Trees (AST) for JavaScript

les. VEX walks through the ASTs computing the ow sets from all sources to all sinks, in a single pass analysis 45 Evaluation - cont. 1. The current version of VEX checks these flow patterns that capture ows from injectable sources to executable sinks: 46 Evaluation - cont.

2. Furthermore, VEX searches for these patterns that characterize unsafe programming practices that could lead to security vulnerabilities: The VEX tool can be adapted to other kinds of suspect ows 47 Evaluation methodology The experiments steps: 1. Chose a random sample of 1827 extensions from the Mozilla add-ons web site (rst extensions in alphabetical order for all subject categories)

2. Chose 699 of the most popular extensions (74 extensions in common, total of 2452 extensions) 3. Extracted the JavaScript les from these extensions 4. Ran VEX on them, using a 2.4GHz 64 bit x86 processor with a maximum heap size of 4GB for the JVM 48 Experimental results Finding ows from injectible sources to executable sinks:

on average, VEX took 15.5 seconds per extension 49 Experimental results cont. Finding unsafe programming practices: 15 of the alerts were analyzed manually 50 Successful attacks Attack scripts example: 51

Successful attacks Vulnerabilities founded by VEX: Wikipedia Toolbar, up to version 0.5.9 Fizzle versions 0.5, 0.5.1, 0.5.2 Beatnik version 1.2 52 Conclusion Advantages of VEX: VEX vets the ows automatically greatly reduces the number of extensions that need to be manually

reviewed 15.5 seconds per extension instead of hours more accurate than manual review VEX performs the analysis only once and from the results, allow us to search for any source-to-sink ow Flow-sensitive, path-sensitive, context-sensitive analysis 53 Conclusion cont. Disadvantages of VEX: Unsoundness and incompleteness false positives and false negatives

The design choices arent necessarily optimal No modeling of actual values conditional and while statements arent evaluated The evaluation is executed until reaching a specic condition No evaluation of prototypes No evaluation of statically unknown strings subject to eval There is no information about the existence of known vulnerabilities that VEX hasnt detected 54 Future Work 1. A points-to analysis

more precise on certain aspects of JavaScript such as higher order functions, prototypes, and scoping 2. Dening a more complete set of ow-patterns (sources and sinks) that capture vulnerabilities 3. Automatically building attack vectors for statically discovered ows, by a constraint solver can help synthesize attacks (handling sanitization routines effectively)

55 ! 56

Recently Viewed Presentations

  • The Muscular System - UCA

    The Muscular System - UCA

    Muscle have microtubules and microfilaments. Needs energy. ... The Muscular System. ... trapezius (trapezoid, 2 parallel sides) serratus (saw-toothed) rhomboideus (rhomboid, 4 parallel sides) orbicularis and sphincters (circular) Rhomboideus. major.
  • Kotler Keller 1 - Jenne Meyer PhD

    Kotler Keller 1 - Jenne Meyer PhD

    It is practiced most aggressively with unsought goods—goods buyers don't normally think of buying such as insurance and cemetery plots—and when firms with overcapacity aim to sell what they make, rather than make what the market wants. The marketing concept...
  • Presentation by Noel Davis Dance is a way

    Presentation by Noel Davis Dance is a way

    * Dance is the art form in which human movement becomes the medium for sensing, understanding, and communicating ideas, feelings, and experiences. * Dance is universal, that means that it can be identified by all people of the world…dance is...
  • Properties of Magma - KSU Faculty

    Properties of Magma - KSU Faculty

    Properties of Magma Physical & Chemical Properties An element is a substance that cannot be broken down into other substances (ex. Carbon, Hydrogen, Oxygen). A compound is a substance made of 2 or more elements that have been chemically combined...
  • Small Group Instruction -

    Small Group Instruction -

    Small Group Instruction. ... Jump rope rhymes and tongue twisters. Songbooks. Paper, pencils, crayons. ... Children enthusiastically visit this station to read plays and retell stories. It is a "space where oral language related to books can flourish. The more...
  • Earth Layers Foldable The Layers of the Earth

    Earth Layers Foldable The Layers of the Earth

    The Four Layers The Earth is composed of four different layers. The crust is the layer that you live on, and it is the most widely studied and understood. ... Times Arial Comic Sans MS Cooper Black Courier Times New...
  • TA 101 Think and Analyze - IIT Kanpur

    TA 101 Think and Analyze - IIT Kanpur

    TA 101Think and Analyze. AnupamSaxena. Associate Professor. Mechanical Engineering. Compliant and Robotic Systems Lab. Indian Institute of Technology Kanpur


    Marjane Satrapi, the director of Persepolis, explained why they chose The Class as Palme d'Or winner: "We all fell in love with it immediately. It's a film that goes beyond the bad neighborhoods, beyond school, to raise the real question...