DOCSLIB.ORG

Analyzing Information Flow in Javascript-Based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science, Rutgers University

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Published in ACSAC’09: Proceedings of the 25th Annual Computer Security Applications Conference, Honolulu, Hawaii, December 2009 Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science, Rutgers University Abstract net Explorer and Google Chrome also support extensions (e.g., scriptable plugins and ActiveX controls) that contain JavaScript-based browser extensions (JSEs) enhance the or interact with JavaScript code. core functionality of web browsers by improving their look However, recent attacks show that JSEs pose a threat to and feel, and are widely available for commodity browsers. browser security. Two factors contribute to this threat: To enable a rich set of functionalities, browsers typically (1) Inadequate sandboxing of JavaScript in a JSE. Un- execute JSEs with elevated privileges. For example, un- like JavaScript code in a web application, which executes like JavaScript code in a web application, code in a JSE is with restricted privileges [9], JavaScript code in a JSE exe- not constrained by the same-origin policy. Malicious JSEs cutes with the privileges of the browser. JSEs are not con- can misuse these privileges to compromise confidentiality strained by the same-origin policy [38], and can freely ac- and integrity, e.g., by stealing sensitive information, such as cess sensitive entities, such as the cookie store and brows- cookies and saved passwords, or executing arbitrary code ing history. For instance, JavaScript in a JSE is allowed on the host system. Even if a JSE is not overtly malicious, to send an XMLHttpRequest to any web domain. Even vulnerabilities in the JSE and the browser may allow a re- though JavaScript only provides restricted language-level mote attacker to compromise browser security. constructs for I/O, browsers typically provide cross-domain We present Sabre (Security Architecture for Browser interfaces that enable a JSE to perform I/O. For example, Extensions), a system that uses in-browser information-flow although JavaScript does not have language-level primi- tracking to analyze JSEs. Sabre associates a label with tives to interact with the file system, JSEs in Firefox can each in-memory JavaScript object in the browser, which access the file system via constructs provided by the XP- determines whether the object contains sensitive informa- COM (cross-domain component object model) interface [7]. tion. Sabre propagates labels as objects are modified by the Importantly, these features are necessary to create expres- JSE and passed between browser subsystems. Sabre raises sive JSEs that support a rich set of functionalities. For an alert if an object containing sensitive information is ac- example, JSEs that provide cookie/password management cessed in an unsafe way, e.g., if a JSE attempts to send the functionality rely critically on the ability to access the object over the network or write it to a file. We implemented cookie/password stores. Sabre by modifying the Firefox browser and evaluated it us- However, JSEs from untrusted third parties may contain ing both malicious JSEs as well as benign ones that con- malicious functionality that exploits the privileges that the tained exploitable vulnerabilities. Our experiments show browser affords to JavaScript code in an extension. Exam- that Sabre can precisely identify potential information flow ples of such JSEs exist in the wild. They are extremely violations by JSEs. easy to create and can avoid detection using stealth tech- niques [11, 13, 14, 15, 18, 41]. Indeed, we wrote several such JSEs during the course of this project. 1. Introduction (2) Browser and JSE vulnerabilities. Even if a JSE is not malicious, vulnerabilities in the browser and in JSEs may al- Modern web browsers support an architecture that lets low a malicious website to access and misuse the privileges third-party extensions enhance the core functionality of the of a JSE [12, 35, 39, 40, 45]. Vulnerabilities in older ver- browser. Such extensions enhance the look and feel of the sions of Firefox/Greasemonkey allowed a remote attacker to browser and help render rich web content, such as mul- access the file system on the host machine [35, 45]. Simi- timedia. Extensions are widely available for commodity larly, vulnerabilities in Firebug [12, 39] allowed remote at- browsers as plugins (e.g., PDF readers, Flash players, Ac- tackers to execute arbitrary commands on the host machine tiveX), browser helper objects (BHOs) and add-ons. using exploits akin to cross-site scripting. These attacks ex- This paper concerns JavaScript-based browser exten- ploit subtle interactions between the browser and JSEs. sions (JSEs). Such extensions are written primarily in While there is much prior work on the security of JavaScript, and are widely available and immensely pop- untrusted browser extensions such as plugins and BHOs ular (as “add-ons”) for Firefox [4] and related tools, such (which are distributed as binary executables) particularly in as Thunderbird. Notable examples of JSEs for Firefox in- the context of spyware [22, 30, 31], there is relatively lit- clude Greasemonkey [5], which allows user-defined scripts tle work on analyzing the security of JSEs. Existing tech- to customize how web pages are rendered, Firebug [3], a niques to protect against an untrusted JSE rely on load- JavaScript development environment, and NoScript [8], a time verification of the integrity of the JSE, e.g., by ensur- JSE that aims to improve security by blocking script ex- ing that scripts are digitally signed by a trustworthy source. ecution from certain websites. Other browsers like Inter- However, such verification is agnostic to the code in a JSE our knowledge, prior work on JavaScript-level information and cannot prevent attacks enabled by vulnerabilities in the flow has not needed such support. browser or the JSE. Ter-Louw et al. [41] developed a run- To summarize, the main contributions of this paper are: time agent to detect malicious JSEs by monitoring XP- • Sabre, an information flow tracker for JSEs. We dis- COM calls and ensuring that these calls conform to a user- cuss the techniques used to implement information flow defined security policy. Such a security policy may, for in- tracking in a web browser and the heuristics used to stance, prevent a JSE from accessing the network after it achieve precision (Section 3). Sabre handles explicit in- has accessed browsing history. Unfortunately, XPCOM- formation flows, some forms of implicit flows, as well as level monitoring of JSEs is too coarse-grained and can be cross-domain flows. We have implemented a prototype overly restrictive. For example, one of their policies disal- of Sabre in Firefox. lows XPCOM calls when SSL is in use, which may prevent • Evaluation on 24 JSEs. We evaluated Sabre using ma- some JSEs from functioning in a https browsing session. licious JSEs as well as benign ones that contained ex- XPCOM-level monitoring can also miss attacks, e.g., a JSE ploitable vulnerabilities. In these cases, Sabre precisely may disguise its malicious actions so that they appear benign identified information flow violations. We also tested to the monitor (in a manner akin to mimicry attacks [43]). Sabre using benign JSEs. In these experiments, Sabre This paper presents Sabre, a system that uses in-browser precisely identified potentially suspicious flows that we information-flow tracking to analyze JSEs. Sabre associates manually analyzed and whitelisted (Section 4). each in-memory JavaScript object with a label that deter- mines whether the object contains sensitive information. We chose Firefox as our implementation and evalua- Sabre modifies this label when the corresponding object is tion platform because of the popularity and wide avail- modified by JavaScript code (contained both in JSEs and ability of JSEs for Firefox. However, JSEs pose a secu- web applications). Sabre raises an alert if a JavaScript ob- rity threat even in privilege-separated browser architectures ject containing sensitive data is accessed in an unsafe way, (e.g., [6, 27, 44]) for the same reasons as outlined earlier. e.g., if a JSE attempts to send a JavaScript object contain- The techniques described in this paper are therefore relevant ing sensitive data over the network or write it to a file. In and applicable to such browsers as well. addition to detecting such confidentiality violations, Sabre 2. Background and Motivating Examples also uses the same mechanism to detect integrity violations, e.g., if a JSE attempts to execute a script received from an Writing browser extensions in JavaScript offers a num- untrusted domain with elevated privileges. ber of advantages that will ensure that JSEs remain rele- Sabre differs from prior work [22] that uses information- vant in future browsers as well. JavaScript has emerged as flow tracking to analyze plugins and BHOs because it tracks the lingua franca of the Web and is supported by all major information flow at the level of JavaScript instructions and browsers. It offers several primitives that are ideally suited does so within the browser. In contrast, prior work on plugin for web browsing (e.g., handlers for user-generated events, security tracks information flow at the system level by track- such as mouse clicks and keystrokes) and allow easy inter- ing information flow at the granularity of machine instruc- action with web applications (e.g., primitives to access the tions. These differences allow Sabre to report better forensic DOM). JSEs can be written by developers with only a rudi- information with JSEs because an analyst can explain flow mentary knowledge of JavaScript and can readily be mod- of information at the granularity of JavaScript objects and ified by others, which in turn allows for rapid prototyping. instructions rather than at the granularity of memory words This is in contrast to plugins and BHOs, which are devel- and machine instructions.
Recommended publications
  • Differential Fuzzing the Webassembly

    Differential Fuzzing the Webassembly

    Master’s Programme in Security and Cloud Computing Differential Fuzzing the WebAssembly Master’s Thesis Gilang Mentari Hamidy MASTER’S THESIS Aalto University - EURECOM MASTER’STHESIS 2020 Differential Fuzzing the WebAssembly Fuzzing Différentiel le WebAssembly Gilang Mentari Hamidy This thesis is a public document and does not contain any confidential information. Cette thèse est un document public et ne contient aucun information confidentielle. Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Technology. Antibes, 27 July 2020 Supervisor: Prof. Davide Balzarotti, EURECOM Co-Supervisor: Prof. Jan-Erik Ekberg, Aalto University Copyright © 2020 Gilang Mentari Hamidy Aalto University - School of Science EURECOM Master’s Programme in Security and Cloud Computing Abstract Author Gilang Mentari Hamidy Title Differential Fuzzing the WebAssembly School School of Science Degree programme Master of Science Major Security and Cloud Computing (SECCLO) Code SCI3084 Supervisor Prof. Davide Balzarotti, EURECOM Prof. Jan-Erik Ekberg, Aalto University Level Master’s thesis Date 27 July 2020 Pages 133 Language English Abstract WebAssembly, colloquially known as Wasm, is a specification for an intermediate representation that is suitable for the web environment, particularly in the client-side. It provides a machine abstraction and hardware-agnostic instruction sets, where a high-level programming language can target the compilation to the Wasm instead of specific hardware architecture. The JavaScript engine implements the Wasm specification and recompiles the Wasm instruction to the target machine instruction where the program is executed. Technically, Wasm is similar to a popular virtual machine bytecode, such as Java Virtual Machine (JVM) or Microsoft Intermediate Language (MSIL).
  • On the Incoherencies in Web Browser Access Control Policies

    On the Incoherencies in Web Browser Access Control Policies

    On the Incoherencies in Web Browser Access Control Policies Kapil Singh∗, Alexander Moshchuk†, Helen J. Wang† and Wenke Lee∗ ∗Georgia Institute of Technology, Atlanta, GA Email: {ksingh, wenke}@cc.gatech.edu †Microsoft Research, Redmond, WA Email: {alexmos, helenw}@microsoft.com Abstract—Web browsers’ access control policies have evolved Inconsistent principal labeling. Today’s browsers do piecemeal in an ad-hoc fashion with the introduction of new not have the same principal definition for all browser re- browser features. This has resulted in numerous incoherencies. sources (which include the Document Object Model (DOM), In this paper, we analyze three major access control flaws in today’s browsers: (1) principal labeling is different for different network, cookies, other persistent state, and display). For resources, raising problems when resources interplay, (2) run- example, for the DOM (memory) resource, a principal is time changes to principal identities are handled inconsistently, labeled by the origin defined in the same origin policy and (3) browsers mismanage resources belonging to the user (SOP) in the form of <protocol, domain, port> [4]; but principal. We show that such mishandling of principals leads for the cookie resource, a principal is labeled by <domain, to many access control incoherencies, presenting hurdles for > web developers to construct secure web applications. path . Different principal definitions for two resources are A unique contribution of this paper is to identify the com- benign as long as the two resources do not interplay with patibility cost of removing these unsafe browser features. To do each other. However, when they do, incoherencies arise. For this, we have built WebAnalyzer, a crawler-based framework example, when cookies became accessible through DOM’s for measuring real-world usage of browser features, and used “document” object, DOM’s access control policy, namely the it to study the top 100,000 popular web sites ranked by Alexa.
  • Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’S Topics

    Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’S Topics

    IGME-330 Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’s topics • Tools we’ll use – what’s the IDE we’ll be using? (hint: none) • This class is about “Rich Media” – we’ll need a “Rich client” – what’s that? • Rich media Plug-ins v. Native browser support for rich media • Who’s in charge of the HTML5 browser API? (hint: no one!) • Where did HTML5 come from? • What are the capabilities of an HTML5 browser? • Browser layout engines • JavaScript Engines Tools we’ll use • Browsers: • Google Chrome - assignments will be graded on Chrome • Safari • Firefox • Text Editor of your choice – no IDE necessary • Adobe Brackets (available in the labs) • Notepad++ on Windows (available in the labs) • BBEdit or TextWrangler on Mac • Others: Atom, Sublime • Documentation: • https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model • https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Tutorial • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide What is a “Rich Client” • A traditional “web 1.0” application needs to refresh the entire page if there is even the smallest change to it. • A “rich client” application can update just part of the page without having to reload the entire page. This makes it act like a desktop application - see Gmail, Flickr, Facebook, ... Rich Client programming in a web browser • Two choices: • Use a plug-in like Flash, Silverlight, Java, or ActiveX • Use the built-in JavaScript functionality of modern web browsers to access the native DOM (Document Object Model) of HTML5 compliant web browsers.
  • The Javascript Revolution

    The Javascript Revolution

    Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Shockers: Scribble & Fortuna Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna Congrats on sneaky strategizing
  • Flash Player and Linux

    Flash Player and Linux

    Flash Player and Linux Ed Costello Engineering Manager Adobe Flash Player Tinic Uro Sr. Software Engineer Adobe Flash Player 2007 Adobe Systems Incorporated. All Rights Reserved. Overview . History and Evolution of Flash Player . Flash Player 9 and Linux . On the Horizon 2 2007 Adobe Systems Incorporated. All Rights Reserved. Flash on the Web: Yesterday 3 2006 Adobe Systems Incorporated. All Rights Reserved. Flash on the Web: Today 4 2006 Adobe Systems Incorporated. All Rights Reserved. A Brief History of Flash Player Flash Flash Flash Flash Linux Player 5 Player 6 Player 7 Player 9 Feb 2001 Dec 2002 May 2004 Jan 2007 Win/ Flash Flash Flash Flash Flash Flash Flash Mac Player 3 Player 4 Player 5 Player 6 Player 7 Player 8 Player 9 Sep 1998 Jun 1999 Aug 2000 Mar 2002 Sep 2003 Aug 2005 Jun 2006 … Vector Animation Interactivity “RIAs” Developers Expressive Performance & Video & Standards Simple Actions, ActionScript Components, ActionScript Filters, ActionScript 3.0, Movie Clips, 1.0 Video (H.263) 2.0 Blend Modes, New virtual Motion Tween, (ECMAScript High-!delity machine MP3 ed. 3), text, Streaming Video (ON2) video 5 2007 Adobe Systems Incorporated. All Rights Reserved. Widest Reach . Ubiquitous, cross-platform, rich media and rich internet application runtime . Installed on 98% of internet- connected desktops1 . Consistently reaches 80% penetration within 12 months of release2 . Flash Player 9 reached 80%+ penetration in <9 months . YUM-savvy updater to support rapid/consistent Linux penetration 1. Source: Millward-Brown September 2006. Mature Market data. 2. Source: NPD plug-in penetration study 6 2007 Adobe Systems Incorporated. All Rights Reserved.
  • Using Replicated Execution for a More Secure and Reliable Web Browser

    Using Replicated Execution for a More Secure and Reliable Web Browser

    Using Replicated Execution for a More Secure and Reliable Web Browser Hui Xue Nathan Dautenhahn Samuel T. King University of Illinois at Urbana Champaign huixue2, dautenh1, kingst @uiuc.edu { } Abstract Unfortunately, hackers actively exploit these vulnerabil- ities as indicated in reports from the University of Wash- Modern web browsers are complex. They provide a ington [46], Microsoft [61], and Google [49, 48]. high-performance and rich computational environment Both industry and academia have improved the se- for web-based applications, but they are prone to nu- curity and reliability of web browsers. Current com- merous types of security vulnerabilities that attackers modity browsers make large strides towards improving actively exploit. However, because major browser plat- the security and reliability of plugins by using sandbox- forms differ in their implementations they rarely exhibit ing techniques to isolate plugins from the rest of the the same vulnerabilities. browser [62, 33]. However, these browsers still scatter In this paper we present Cocktail, a system that uses security logic throughout millions of lines of code, leav- three different off-the-shelf web browsers in parallel to ing these systems susceptible to browser-based attacks. provide replicated execution for withstanding browser- Current research efforts, like Tahoma [32], the OP web based attacks and improving browser reliability. Cock- browser [36], the Gazelle web browser [59], and the Illi- tail mirrors inputs to each replica and votes on browser nois Browser Operating System [58] all propose build- states and outputs to detect potential attacks, while con- ing new web browsers to improve security. Although tinuing to run.
  • CA Network Flow Analysis Release Notes

    CA Network Flow Analysis Release Notes

    CA Network Flow Analysis Release Notes Release 9.1.3 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
  • HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014

    HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014

    HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S.
  • Lime Rock Gazette

    Lime Rock Gazette

    L 1M E R 0 C K GAZETTE. DEVOTED TO COMMERCE, AGRICULTURE, ART, SCIENCE, MORALITY AND GENERAL INTELLIGENCE. PUBLISHED WEEKLY, BY RICHARDSON & PORTER. Tpiihs, $1,50 in Advance, $1.75 in six monllis $2.00 afleiv-Adverliseinenls inserted al Hie ciisloniarv prices VOL J- LAST—TIIOIIASTOV, TlllltSO AV 1IOILVIA«L O< TOK I it 15. 1840 AO. »». i.j_ - xi u f c i . b.w rjw vjwcyxayztt i TIlC Relllllied Pastor. *,o,n v*cw> nn,l 0,1 *Gc morning of the 'themselves together for family worship.— from nine o’clock in the morning to three 'Aint I a man now. Miss Tabitha, I ’d only, however, who knew the former level- twenty-second of the same month he look- Ho was told that twenty missionaries might I in the nOcrnoon; and from live to nine in like to know ,’ said Jotliam , rising with ness o f the spot. Ct will be recollected By many ol otn renders, that (,d ,|p0„ ,bc s|,((1.es of England—on the find employment there. the eveninu. There were twelve hundred spirit and putting his hat on his head, ‘ I f The Lieutenant, who had c ritic a lly the Kcv. Mr. Vomroy, Tastor ot the livst ( j following day ho landed. He wished to; Mr. l’omroy enumerated the places of | persons composing the convention, about I aint a man now. and a whole hog o f a watched the manoeuvring of the men, grognltonnl Church ol Bangor, lelt his people see ns much of the land of our fathers as interest ho visited in the Holy Land.— nine hundred of whom were clergymen, one too, I think it darned strange.’ congratulated the Orderly on the perfec- sonic sixteen months Since, for an European possible— a land that should lie dear to ! Sidon, Sarepta, Tyre.
  • Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software

    Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software

    Scuola Politecnica e delle Scienze di Base Corso di Laurea Magistrale in Ingegneria Informatica Tesi di laurea magistrale in Calcolatori Elettronici II Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software Anno Accademico 2018/2019 CERN-THESIS-2019-152 //2019 relatori Ch.mo prof. Nicola Mazzocca Ch.mo prof. Pasquale Arpaia correlatore Ing. Laurent Deniau PhD candidato Dario d’Andrea matr. M63000695 Acknowledgements Firstly, I would like to thank my supervisor at CERN, Laurent Deniau, for his daily support and his useful suggestions throughout the work described in this thesis. I would like to express my gratitude to both my university supervisors, Nicola Mazzocca and Pasquale Arpaia, for their helpfulness during this work and for their support during the past years at university. I feel privileged of being allowed to work with such inspiring mentors. This thesis would not have been possible without the help from the community of the LuaJIT project including all the useful insights contained in its mailing list, specially by its author, Mike Pall, who worked for many years accomplishing an amazing job. A special acknowledgement should be addressed to my family. I thank my father Guido and my mother Leda who guided me with love during my education and my life. I am grateful to my brother Fabio, my grandmother Tina, and my uncle Nicola, for their support during the past years. I also want to remember my uncle Bruno who inspired me for my academic career. I wish to express my deepest gratitude to Alicia for her unconditional encour- agement.
  • Mozilla Source Tree Docs Release 50.0A1

    Mozilla Source Tree Docs Release 50.0A1

    Mozilla Source Tree Docs Release 50.0a1 August 02, 2016 Contents 1 SSL Error Reporting 1 2 Firefox 3 3 Telemetry Experiments 11 4 Build System 17 5 WebIDL 83 6 Graphics 85 7 Firefox for Android 87 8 Indices and tables 99 9 Localization 101 10 mach 105 11 CloudSync 113 12 TaskCluster Task-Graph Generation 119 13 Crash Manager 133 14 Telemetry 137 15 Crash Reporter 207 16 Supbrocess Module 211 17 Toolkit modules 215 18 Add-on Manager 221 19 Linting 227 20 Indices and tables 233 21 Mozilla ESLint Plugin 235 i 22 Python Packages 239 23 Managing Documentation 375 24 Indices and tables 377 Python Module Index 379 ii CHAPTER 1 SSL Error Reporting With the introduction of HPKP, it becomes useful to be able to capture data on pin violations. SSL Error Reporting is an opt-in mechanism to allow users to send data on such violations to mozilla. 1.1 Payload Format An example report: { "hostname":"example.com", "port":443, "timestamp":1413490449, "errorCode":-16384, "failedCertChain":[ ], "userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0", "version":1, "build":"20141022164419", "product":"Firefox", "channel":"default" } Where the data represents the following: “hostname” The name of the host the connection was being made to. “port” The TCP port the connection was being made to. “timestamp” The (local) time at which the report was generated. Seconds since 1 Jan 1970, UTC. “errorCode” The error code. This is the error code from certificate veri- fication. Here’s a small list of the most commonly-encountered errors: https://wiki.mozilla.org/SecurityEngineering/x509Certs#Error_Codes_in_Firefox In theory many of the errors from sslerr.h, secerr.h, and pkixnss.h could be encountered.
  • The Multi-Principal OS Construction of the Gazelle Web Browser

    The Multi-Principal OS Construction of the Gazelle Web Browser

    The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter Browser as an application platform • Single stop for many computing needs – banking, shopping, office tasks, social networks, entertainment • Static document browsing rich programs – obtained from mutually distrusting origins – same-origin policy: a browser is a multi-principal platform where web sites are principals • Browser = prime target of today’s attackers Your valuables are online! • Existing browser security mentality: – valuables on local machine – protect local machine from the web Browser OS • This work’s mentality: – valuables online – must also protect web site principals from one another Browser OS Browser design requires OS thinking • Cross-principal protection is an essential function of an operating system • Fundamental flaw with existing browser designs: – OS logic is intermingled with application-specific content processing – consequences: HTML • unreliable cross-principal protection JS engine parsing • many vulnerabilities DOM same-origin rendering protection Persistent network state access browser Gazelle • An OS exclusively manages: HTML JS engine – protection across principals parsing DOM – resource allocation same-origin – resource access control rendering protection Persistent network state access • Our approach for designing Gazelle: Browser kernel – take all OS functionality out of content processing logic – put it into a small, simple browser kernel Gazelle • Build