VEX: vetting browser extensions for security vulnerabilities

USENIX Security Symposium, pp. 22-22, 2010.

Cited by: 131|Views118
EI
Weibo:
VEX is a proofof-concept tool for detecting potential security vulnerabilities in browser extensions using static analysis for explicit flows

Abstract:

The browser has become the de facto platform for everyday computation. Among the many potential attacks that target or exploit browsers, vulnerabilities in browser extensions have received relatively little attention. Currently, extensions are vetted by manual inspection, which does not scale well and is subject to human error. In this pa...More

Code:

Data:

0
Full Text
Bibtex
Weibo
Introduction
  • Driving the Internet revolution is the modern web browser, which has evolved from a relatively simple client application designed to display static data into a complex networked operating system tasked with managing many facets of a user’s on-line experience.
  • Other extensions provide more sophisticated functionality, such as NOSCRIPT that provides fine-grained control over JavaScript execution [20], or GREASEMONKEY that provides a full-blown programming environment for scripting browser behavior [6]
  • These are just a few of the thousands of extensions currently available for Firefox, the second most popular browser today1.
  • General Firefox code runs with full chrome privileges, which give it access to all browser states and events, OS resources like the file system and network, and all web pages.
  • To access the document object referring to the content, the extension has to access the document property of the content window, i.e., window.content.document
Highlights
  • Driving the Internet revolution is the modern web browser, which has evolved from a relatively simple client application designed to display static data into a complex networked operating system tasked with managing many facets of a user’s on-line experience
  • We show that VEX can help to find the use of unsafe programming practices, such as misuse of evalInSandbox, that can result from subtle information flows
  • For the flow “Content-doc to Eval”, the grep was for the string ‘eval(’; for “Contentdoc to InnerHTML” flows, the grep was for the string ‘innerHTML’; and for “Resource Description Framework to InnerHTML” flows, the search was for both the strings “‘innerHTML” and “@mozilla.org/rdf/rdf-service;1”
  • VEX is a proofof-concept tool for detecting potential security vulnerabilities in browser extensions using static analysis for explicit flows
  • Using VEX, we identify three previously unknown security vulnerabilities and three previously known vulnerabilities, together with a variety of instances of unsafe programming practices
  • The static analysis can benefit from a points-to analysis that is more precise on certain aspects of JavaScript such as higherorder functions, prototypes, and scoping
Methods
  • Objects obtained using wrappedJSObject() commands are usually untrusted, and methods of such objects should not be called.
  • The source locations are uses of wrappedJSObject() and source objects are the objects returned by them.
  • Sink locations are methods calls and the sink objects are the objects whose methods are called.
  • The VEX tool can, be adapted to other kinds of suspect flows – source and sink locations are straightforward, and the source and sink objects must be specified carefully as above
Results
  • Finding flows from injectible sources to executable sinks: Figure 5 summarizes the experimental results for flows that are from injectible sources to executable sinks.
  • The first column is the number of extensions that syntactically has code that could indicate such a flow, identified using a grep-search.
  • This search finds hundreds of suspect extensions, far more than can be examined manually.
  • The third column indicates the number of extensions on which VEX reports an alert with corresponding flows.
  • VEX took only 15.5 seconds per extension
Conclusion
  • The authors' main thesis is that most vulnerabilities in web extensions can be characterized as explicit flows, which in turn can be statically analyzed.
  • VEX is a proofof-concept tool for detecting potential security vulnerabilities in browser extensions using static analysis for explicit flows.
  • The authors have found 16 more known vulnerabilities, of which 14 can be characterized using information flow-patterns.
  • Identifying statically these source-sink pairs and adding them to VEX would yield a more comprehensive tool.
  • In the direction of reducing false positives, automatically building attack vectors for statically discovered flows can help synthesize attacks; a key challenge in achieving this would be in handling sanitization routines effectively [3, 30]
Summary
  • Introduction:

    Driving the Internet revolution is the modern web browser, which has evolved from a relatively simple client application designed to display static data into a complex networked operating system tasked with managing many facets of a user’s on-line experience.
  • Other extensions provide more sophisticated functionality, such as NOSCRIPT that provides fine-grained control over JavaScript execution [20], or GREASEMONKEY that provides a full-blown programming environment for scripting browser behavior [6]
  • These are just a few of the thousands of extensions currently available for Firefox, the second most popular browser today1.
  • General Firefox code runs with full chrome privileges, which give it access to all browser states and events, OS resources like the file system and network, and all web pages.
  • To access the document object referring to the content, the extension has to access the document property of the content window, i.e., window.content.document
  • Methods:

    Objects obtained using wrappedJSObject() commands are usually untrusted, and methods of such objects should not be called.
  • The source locations are uses of wrappedJSObject() and source objects are the objects returned by them.
  • Sink locations are methods calls and the sink objects are the objects whose methods are called.
  • The VEX tool can, be adapted to other kinds of suspect flows – source and sink locations are straightforward, and the source and sink objects must be specified carefully as above
  • Results:

    Finding flows from injectible sources to executable sinks: Figure 5 summarizes the experimental results for flows that are from injectible sources to executable sinks.
  • The first column is the number of extensions that syntactically has code that could indicate such a flow, identified using a grep-search.
  • This search finds hundreds of suspect extensions, far more than can be examined manually.
  • The third column indicates the number of extensions on which VEX reports an alert with corresponding flows.
  • VEX took only 15.5 seconds per extension
  • Conclusion:

    The authors' main thesis is that most vulnerabilities in web extensions can be characterized as explicit flows, which in turn can be statically analyzed.
  • VEX is a proofof-concept tool for detecting potential security vulnerabilities in browser extensions using static analysis for explicit flows.
  • The authors have found 16 more known vulnerabilities, of which 14 can be characterized using information flow-patterns.
  • Identifying statically these source-sink pairs and adding them to VEX would yield a more comprehensive tool.
  • In the direction of reducing false positives, automatically building attack vectors for statically discovered flows can help synthesize attacks; a key challenge in achieving this would be in handling sanitization routines effectively [3, 30]
Related work
  • Maffeis et. al. [27] proposed a small-step operational semantics for JavaScript, using which they analyze security properties of web applications. This operational semantics is then useful for generating safe subsets of JavaScript and to manually prove that the so-called safe subsets of JavaScript are in fact vulnerable to certain attacks [28]. Our operational semantics is inspired by their approach, although we take an alternate approach of abstracting the primitive values in the program. This helps us in proposing a precise information flow analysis approach for a non-trivial JavaScript program. More recently, Guha et. al. [18] also provide an operational semantics for JavaScript (albeit without semantics for eval) with the goal of making it easier to prove properties about the JavaScript programs.

    Recent work by Ter Louw et al [25] highlights some of the potential security risks posed by browser extensions, and proposes run time support for restricting the interactions between browsers and extensions. Our techniques are complementary to these techniques since, as our experiments show, even restricted interfaces can still be susceptible to security vulnerabilities.
Funding
  • This research was funded in part by NSF CAREER award #0747041, NSF grant CNS #0917229, NSF grant CNS #0831212, grant N0014-091-0743 from the Office of Naval Research, and AFOSR MURI grant FA9550-09-01-0539
Reference
  • ANTLR Parser Generator. http://www.antlr.org.
    Findings
  • T. Amtoft and A. Banerjee. Information flow analysis in logical form. In R. Giacobazzi, editor, SAS 2004, volume 3148 of LNCS, pages 100–115. Springer-Verlag, 2004.
    Google ScholarLocate open access versionFindings
  • D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In IEEE Symposium on Security and Privacy, pages 387–401, 2008.
    Google ScholarLocate open access versionFindings
  • A. Barth, A. P. Felt, P. Saxena, and A. Boodman. Protecting browsers from extension vulnerabilities. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2010.
    Google ScholarLocate open access versionFindings
  • B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the 1995 Symposium on Operating Systems Principles, pages 267–283, December 1995.
    Google ScholarLocate open access versionFindings
  • A. Boodman. The Greasemonkey Firefox extension. https://addons.mozilla.org/en-US/firefox/addon/748.
    Findings
  • R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In M. Hind and A. Diwan, editors, PLDI, pages 50–62. ACM, 2009.
    Google ScholarFindings
  • CrYpTiC MauleR. Fizzle RSS Feed HTML Injection Vulnerability. http://www.securityfocus.com/bin/23144.
    Findings
  • M. Dhawan and V. Ganapathy. Analyzing information flow in JavaScript-based browser extensions. In ACSAC’09: Proceedings of the 25th Annual Computer Security Applications Conference, pages 382–391, December 2009.
    Google ScholarLocate open access versionFindings
  • D. R. Engler, M. F. Kaashoek, and J. O’Toole, Jr. Exokernel: an operating system architecture for application-level resource management. In SOSP ’95: Proceedings of the fifteenth ACM symposium on Operating systems principles, pages 251–266, New York, NY, USA, 1995. ACM.
    Google ScholarLocate open access versionFindings
  • U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, pages 75–88. USENIX Association, 2006.
    Google ScholarLocate open access versionFindings
  • N. Freeman and R. S. Liverani. Cross context scripting with Firefox, April 2010. http://www.
    Findings
  • N. Freeman and R. S. Liverani. Exploiting cross context scripting vulnerabilities in Firefox, April 2010. http://www.security-assessment.
    Findings
  • I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 1996 USENIX Security Symposium, pages 1–13, July 1996.
    Google ScholarLocate open access versionFindings
  • C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.
    Google ScholarLocate open access versionFindings
  • C. Grier, H. J. Wang, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the 2009 Usenix Security Symposium, 2009.
    Google ScholarLocate open access versionFindings
  • S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In Proceedings of USENIX Security ’09, pages 151–168, 2009.
    Google ScholarLocate open access versionFindings
  • A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In ECOOP, Lecture Notes in Computer Science. Springer, 2010.
    Google ScholarLocate open access versionFindings
  • Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW, pages 40–52, New York, NY, USA, 2004. ACM.
    Google ScholarFindings
  • IAOSS. NoScript Firefox extension. http://noscript.net/.
    Findings
  • N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceesings of the 2006 IEEE Symposium on Security and Privacy, pages 258–263, 2006.
    Google ScholarLocate open access versionFindings
  • H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov. JavaScript instrumentation in practice. In APLAS ’08, pages 326–341, Berlin, Heidelberg, 2008. Springer-Verlag.
    Google ScholarFindings
  • R. S. Liverani and N. Freeman. Abusing Firefox extensions, Defcon 17, July 2009.
    Google ScholarFindings
  • V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In SSYM’05: Proceedings of the 14th conference on USENIX Security Symposium, pages 18–18, Berkeley, CA, USA, 2005. USENIX Association.
    Google ScholarLocate open access versionFindings
  • M. T. Louw, J. S. Lim, and V. N. Venkatakrishnan. Extensible web browser security. In B. M. Hammerli and R. Sommer, editors, DIMVA, volume 4579 of Lecture Notes in Computer Science, pages 1–19.
    Google ScholarLocate open access versionFindings
  • G. A. D. Lucca, A. R. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross site scripting vulnerabilities in web applications. In WSE ’04, pages 71–80, Washington, DC, USA, 2004. IEEE Computer Society.
    Google ScholarLocate open access versionFindings
  • S. Maffeis, J. C. Mitchell, and A. Taly. An operational semantics for JavaScript. In G. Ramalingam, editor, APLAS, volume 5356 of Lecture Notes in Computer Science, pages 307–325.
    Google ScholarLocate open access versionFindings
  • S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In Proc. of CSF’09, IEEE, 2009. See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3, 2009.
    Google ScholarLocate open access versionFindings
  • G. C. Necula. Proof-carrying code. In POPL ’97: Proceedings of the 24th ACM SIGPLANSIGACT symposium on Principles of programming languages, pages 106–119, New York, NY, USA, 1997. ACM.
    Google ScholarLocate open access versionFindings
  • P. Saxena, D. Akhawe, S. Hanna, S. McCamant, F. Mao, and D. Song. A symbolic execution framework for JavaScript. In IEEE Symposium on Security and Privacy, 2010.
    Google ScholarLocate open access versionFindings
  • M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In OSDI, pages 213–227, 1996.
    Google ScholarLocate open access versionFindings
  • P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krugel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS. The Internet Society, 2007. https://developer.mozilla.org/en/RDF_in_
    Locate open access versionFindings
  • [34] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIXSS’06: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.
    Google ScholarLocate open access versionFindings
  • [35] D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In M. Hofmann and M. Felleisen, editors, POPL, pages 237–249. ACM, 2007.
    Google ScholarFindings
  • [36] F. Zhou, J. Condit, Z. R. Anderson, I. Bagrak, R. Ennals, M. Harren, G. C. Necula, and E. A. Brewer. SafeDrive: Safe and recoverable extensions using language-based techniques. In 7th Symposium on Operating Systems Design and Implementation (OSDI ’06), November 6-8, Seattle, WA, USA, pages 45–60. USENIX Association, 2006.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Best Paper
Best Paper of USENIX Security, 2010
Tags
Comments