VEX: Vetting Browser Extensions For Security Vulnerabilities
2 Browser Extensions What are they? A browser extension is a computer program that extends the functionality of a web browser in some way. Extensions can be used to modify the behavior of existing features of the application or add entirely new features. Extensions are especially popular with Firefox, because Mozilla developers intend for the browser to be a fairly minimalistic application in order to reduce software bloat and bugs, while retaining a high degree
Player 4 Mozilla privilege levels Page - for web pages displayed in the browsers content window. restrictive - a page loaded from site x cannot access content from sites other than x Chrome - for elements belonging to Firefox and its extensions. Gives access to: all browser states and events OS resources
Extensions can: Access objects that run with page privileges and interact with page content. Access objects that run with full chrome privileges. Include user interface components via a chrome document, which also runs with full chrome privileges: window.content.document. Thus, it can Lead to execution of remote code in privileged context, e.g. RSS reader extension takes the content of the RSS feed (HTML code) and insert it into the extension window. 7 Vulnerabilities in Browser Extensions
8 What is done today regarding these vulnerabilities Mozilla provides a set of security primitives to extension developers the goal: reducing the attack surface for extensions. disadvantages: discretionary primitives, difcult to understand and use correctly.
types of dependencies: strongly dependent: A = B + 1 weakly dependent: if (condition) A = B + 1 conditionally dependent: if (B > 0) A = 0 Information Flow Analysis (also called variable dependency analysis) is a study of the interdependencies of the program variables 14 Suspicious ow patterns tracked by VEX From content document data to eval. From content document data to innerHTML.
From Resource Description Framework (RDF) data to innerHTML. 4. EvalInSandbox return objects used improperly by code running with chrome privileges. 5. WrappedJSObject return object used improperly by code running with chrome privileges. These ows: Dont always result in a vulnerability. Are not all of the possible extension security bugs. 1. 2. 3. 15
An example for a suspicious ow pattern A ow from content document data to eval Wikipedia Toolbar, up to version 0.5.9 16 VEXs work ow scheme 17 VEXs anticipated contribution Such ow patterns may occur in only a few of the extensions
that use these constructs. Mozilla offers an open-source automatic tool to help with reviews (see https://addons.mozilla.org/en-US/firefox/pages/validation) it just greps for strings that indicate dangerous patterns. then the reviewer needs to manually check all of the suspect extensions. this checking is difficult and error-prone. VEX is designed to help vetting the ows automatically , greatly reducing the number of extensions that need to be manually reviewed. 18 Static information ow analysis
19 Abstract Heaps The analysis uses an abstract heap (AH) the analysis keeps track of one abstract heap at each program point. VEX creates a node for every: object function Property Ignores the exact primitive values in the heap. The AH records explicit-ow dependencies to heap nodes. 20
Abstract Heaps cont. A denition: Pvar A set of all the program variables An abstract heap is a tuple: (ns,n,d,fr,dm,tm) ns - a set of heap locations. - represents the current node. - represents the subset of program variables that ow in to the current node n. - encodes the pointers representing properties (elds).
What does mean? 21 Abstract Heaps cont. - a relation that denotes a dependency map. What does mean?
(such as eval) 23 The rules Big step operational semantics on abstract heaps: A relation prog - an program expression or statement - the initial abstract heap - the abstract heap obtained from the complete evaluation of prog starting from the heap
This resulting heap, in every iteration, will be merged with the current heap, conservatively taking the union of dependencies. 24 Evaluating expressions 25 Evaluating expressions cont. What happens to the AH when
evaluating a constant? the only change is that the current node isnt a heap location, and there isnt . any program variable that ow into it Thus: Rule (CONSTANT) evaluates to a node with empty dependencies: 26 Evaluating expressions cont. What happens to the AH when
evaluating this? the current node is the node that is the .scope of the current node the program variables that ow into the current node are the those who ow .into the scope of the current node Thus: Rule (THIS) extracts the scope of the current node 27
Evaluating expressions cont. Thus, rst the existence property x is checked in the current scope if it exists, the current node is the node of the variable, and so is the d part of AH Otherwise, the global node is checked for property x -if it exists, the same happens 29
Evaluating expressions cont. Otherwise (not in the current or global scope), a new node is created and added to the global scope: a new heap location is created a new node is created its dependency is empty the existence property of x in the global heap is added to the fr the fact that the scope of the new node is the global heap, is added to this-map
30 Evaluating expressions cont. What happens to the AH when evaluating a field access? if the variable x already exists in one of the heaps, and the eld f of the node resulted from the variable access evaluation :may be located in the eld node, then all the sets, maps and relations resulted by the evaluation are those of the AH resulted
from the evaluation of the variable x only two additions: the current node is the one of the eld, and the dependencies includes the program variables that ow into 31 Evaluating expressions cont. Otherwise (if the variable x exists but the eld node doesnt) a new is created and added to the AH with the variable x : a new heap location is created a new node is created the dependencies are those of the AH
resulted from the variable evaluation the existence property of f in the AH with x is added to the fr the fact that the scope of the new node is the node representing x, is added to this-map 32 Evaluating expressions cont. What happens to the AH when evaluating a binary operation? the new AH is the union of dependencies
of both the expressions includes union of heap locations, dependencies, frs, dependency maps and this-maps. The current node is a new node .representing the operation 33 Evaluating expressions cont. What happens to the AH when evaluating a object literal? example:
a summary is computed by recursively creating heap locations for each of its properties. 34 Evaluating expressions cont. What happens to the AH when evaluating a function definition? like with object literals, except that new summary locations are created for each of the function .arguments and also for the return variable
the function body is evaluated with respect to .the new heap the result of the evaluation is the new heap with the function summary attached to the node of the return value. 35 Evaluating expressions cont. What happens to the AH when evaluating a function call? uses this summary to compute the node and dependencies of the return value.
the return value of the function can be obtained by evaluating each of the function argument expressions, and replacing the appropriate nodes in the function summary with the values returned. if the function is not dened, then the dependencies of the return values are the union of dependencies of the individual function parameters. 36 Evaluating statements 37
Evaluating statements cont. What happens to the AH when evaluating skip and sequence statements? What happens to the AH when evaluating a variable declaration? a new node is created in the current scope. if the heap node for that variable already exists, it is replaced by this new node. 38
Evaluating statements cont. What happens to the AH when evaluating assignment statements? the left hand side and the right hand side expressions are evaluated, and the node on the left hand side is replaced with the node on the right hand side. 39 Evaluating statements cont. What happens to the AH when evaluating conditionals?
they are not evaluated as our heaps are symbolic What happens to the AH when evaluating a return statement? If evaluation of e with the AH results in , then the AH after .returning e is the same, with the emphasis on the change in fr 40 Evaluating statements cont. What happens to the AH when evaluating while statements? while statements, like conditionals, are not evaluated as our heaps are symbolic
an accurate analysis of the structure of dynamically created code is too complex furthermore, eval statements cannot be simply ignored VEX implements a static constant-string analysis for strings, and subject the strings that are eval-ed to this analysis Strings that are not statically known but subject to eval are essentially ignored innerHTML: creating a symbolic representation of the source, computing summaries
of innerHTML and allowing outside methods to instantiate the symbolic source to a concrete source in whichever context it becomes available. 42 Notes about the analysis The analysis is: Flow-sensitive: takes into account the order of statements in a program. Path-sensitive: computes different pieces of analysis information dependent on the predicates at conditional branch instructions. Context-sensitive: interprocedural analysis that considers the calling context when analyzing the target of a function call.
43 Notes about the analysis cont. Unsoundness: a static analysis tool like VEX is inherently conservative if VEX reports a ow, there may be no such feasible ow in the program (false positives) Incompleteness false negatives are also possible because of several unsummarized objects VEX has several sources of unsoundness and incompleteness: eval
les. VEX walks through the ASTs computing the ow sets from all sources to all sinks, in a single pass analysis 45 Evaluation - cont. 1. The current version of VEX checks these flow patterns that capture ows from injectable sources to executable sinks: 46 Evaluation - cont.
2. Furthermore, VEX searches for these patterns that characterize unsafe programming practices that could lead to security vulnerabilities: The VEX tool can be adapted to other kinds of suspect ows 47 Evaluation methodology The experiments steps: 1. Chose a random sample of 1827 extensions from the Mozilla add-ons web site (rst extensions in alphabetical order for all subject categories)
on average, VEX took 15.5 seconds per extension 49 Experimental results cont. Finding unsafe programming practices: 15 of the alerts were analyzed manually 50 Successful attacks Attack scripts example: 51
Successful attacks Vulnerabilities founded by VEX: Wikipedia Toolbar, up to version 0.5.9 Fizzle versions 0.5, 0.5.1, 0.5.2 Beatnik version 1.2 52 Conclusion Advantages of VEX: VEX vets the ows automatically greatly reduces the number of extensions that need to be manually
reviewed 15.5 seconds per extension instead of hours more accurate than manual review VEX performs the analysis only once and from the results, allow us to search for any source-to-sink ow Flow-sensitive, path-sensitive, context-sensitive analysis 53 Conclusion cont. Disadvantages of VEX: Unsoundness and incompleteness false positives and false negatives
The design choices arent necessarily optimal No modeling of actual values conditional and while statements arent evaluated The evaluation is executed until reaching a specic condition No evaluation of prototypes No evaluation of statically unknown strings subject to eval There is no information about the existence of known vulnerabilities that VEX hasnt detected 54 Future Work 1. A points-to analysis
It is practiced most aggressively with unsought goods—goods buyers don't normally think of buying such as insurance and cemetery plots—and when firms with overcapacity aim to sell what they make, rather than make what the market wants. The marketing concept...
* Dance is the art form in which human movement becomes the medium for sensing, understanding, and communicating ideas, feelings, and experiences. * Dance is universal, that means that it can be identified by all people of the world…dance is...
Properties of Magma Physical & Chemical Properties An element is a substance that cannot be broken down into other substances (ex. Carbon, Hydrogen, Oxygen). A compound is a substance made of 2 or more elements that have been chemically combined...
Small Group Instruction. ... Jump rope rhymes and tongue twisters. Songbooks. Paper, pencils, crayons. ... Children enthusiastically visit this station to read plays and retell stories. It is a "space where oral language related to books can flourish. The more...
The Four Layers The Earth is composed of four different layers. The crust is the layer that you live on, and it is the most widely studied and understood. ... Times Arial Comic Sans MS Cooper Black Courier Times New...
Marjane Satrapi, the director of Persepolis, explained why they chose The Class as Palme d'Or winner: "We all fell in love with it immediately. It's a film that goes beyond the bad neighborhoods, beyond school, to raise the real question...
Ready to download the document? Go ahead and hit continue!