DOCSLIB.ORG

An Evaluation of the Google Chrome Extension Security Architecture

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Evaluation of the Google Chrome Extension Security Architecture An Evaluation of the Google Chrome Extension Security Architecture Nicholas Carlini, Adrienne Porter Felt, and David Wagner University of California, Berkeley [email protected], [email protected], [email protected] Abstract developers need to build extensions that are robust to at- tacks originating from malicious websites and the net- Vulnerabilities in browser extensions put users at risk by work. Extensions can read and manipulate content from providing a way for website and network attackers to websites, make unfettered network requests, and access gain access to users’ private data and credentials. Exten- browser userdata like bookmarks and geolocation. In the sions can also introduce vulnerabilities into the websites hands of a web or network attacker, these privileges can that they modify. In 2009, Google Chrome introduced be abused to collect users’ private information and au- a new extension platform with several features intended thentication credentials. to prevent and mitigate extension vulnerabilities: strong Google Chrome employs three mechanisms to prevent isolation between websites and extensions, privilege sep- and mitigate extension vulnerabilities: aration within an extension, and an extension permission system. We performed a security review of 100 Chrome extensions and found 70 vulnerabilities across 40 exten- • Privilege separation. Chrome extensions adhere to sions. Given these vulnerabilities, we evaluate how well a privilege-separated architecture [23]. Extensions each of the security mechanisms defends against exten- are built from two types of components, which are sion vulnerabilities. We find that the mechanisms mostly isolated from each other: content scripts and core succeed at preventing direct web attacks on extensions, extensions. Content scripts interact with websites but new security mechanisms are needed to protect users and execute with no privileges. Core extensions do from network attacks on extensions, website metadata at- not directly interact with websites and execute with tacks on extensions, and vulnerabilities that extensions the extension’s full privileges. add to websites. We propose and evaluate additional de- • Isolated worlds. Content scripts can read and mod- fenses, and we conclude that banning HTTP scripts and ify website content, but content scripts and websites inline scripts would prevent 47 of the 50 most severe vul- have separate program heaps so that websites can- nerabilities with only modest impact on developers. not access content scripts’ functions or variables. • Permissions. Each extension comes packaged with a list of permissions, which govern access to the 1 Introduction browser APIs and web domains. If an extension has a core extension vulnerability, the attacker will only Browser extensions can introduce serious security vul- gain access to the permissions that the vulnerable nerabilities into users’ browsers or the websites that ex- extension already has. tensions interact with [20, 32]. In 2009, Google Chrome introduced a new extension platform with several secu- In this work, we provide an empirical analysis of rity mechanisms intended to prevent and mitigate ex- these security mechanisms, which together comprise a tension vulnerabilities. Safari and Mozilla Firefox have state-of-the-art least privilege system. We analyze 100 since adopted some of these mechanisms for their own Chrome extensions, including the 50 most popular ex- extension platforms. In this paper, we evaluate the se- tensions, to determine whether Chrome’s security mech- curity of the widely-deployed Google Chrome extension anisms successfully prevent or mitigate extension vulner- platform with the goal of understanding the practical suc- abilities. We find that 40 extensions contain at least one cesses and failures of its security mechanisms. type of vulnerability. Twenty-seven extensions contain Most extensions are written by well-meaning devel- core extension vulnerabilities, which give an attacker full opers who are not security experts. These non-expert control over the extension. Based on this set of vulnerabilities, we evaluate the 2 Extension Security Background effectiveness of each of the three security mechanisms. Our primary findings are: 2.1 Threat Model • The isolated worlds mechanism is highly successful In this paper, we focus on non-malicious extensions that at preventing content script vulnerabilities. are vulnerable to external attacks. Most extensions are • The success of the isolated worlds mechanism ren- written by well-meaning developers who are not secu- ders privilege separation unnecessary. However, rity experts. We do not consider malicious extensions; privilege separation would protect 62% of exten- preventing malicious extensions requires completely dif- sions if isolated worlds were to fail. In the remain- ferent tactics, such as warnings, user education, security ing 38% of extensions, developers either intention- scans of the market, and feedback and rating systems. ally or accidentally negate the benefits of privilege Benign-but-buggy extensions face two types of attacks: separation. This highlights that forcing developers to divide their software into components does not automatically achieve security on its own. • Network attackers. People who use insecure net- • Permissions significantly reduce the severity of half works (e.g., public WiFi hotspots) may encounter of the core extension vulnerabilities, which demon- network attackers [26, 21]. A network attacker’s strates that permissions are effective at mitigating goal is to obtain personal information or credentials vulnerabilities in practice. Additionally, dangerous from a target user. To achieve this goal, a network permissions do not correlate with vulnerabilities: attacker will read and alter HTTP traffic to mount developers who write vulnerable extensions use per- man-in-the-middle attacks. (Assuming that TLS missions the same way as other developers. works as intended, a network attacker cannot com- promise HTTPS traffic.) Consequently, data and Although these mechanisms reduce the rate and scope scripts loaded over HTTP may be compromised. of several classes of attacks, a large number of high- privilege vulnerabilities remain. If an extension adds an HTTP script – a JavaScript We propose and evaluate four additional defenses. Our file loaded over HTTP – to itself, a network attacker extension review demonstrates that many developers do can run arbitrary JavaScript within the extension’s not follow security best practices if they are optional, so context. If an extension adds an HTTP script to we propose four mandatory bans on unsafe coding prac- an HTTPS website, then the website will no longer tices. We quantify the security benefits and functional- benefit from the confidentiality, integrity, and au- ity costs of these restrictions on extension behavior. Our thentication guarantees of HTTPS. Similarly, insert- evaluation shows that banning inline scripts and HTTP ing HTTP data into an HTTPS website or extension scripts would prevent 67% of the overall vulnerabilities can lead to vulnerabilities if the untrusted data is al- and 94% of the most dangerous vulnerabilities at a rela- lowed to execute as code. tively low cost for most extensions. In concurrent work, Google Chrome implemented Content Security Policy • Web attackers. Users may visit websites that host (CSP) for extensions to optionally restrict their own be- malicious content (e.g., advertisements or user com- havior. Motivated in part by our study [5], future versions ments). A website can launch a cross-site script- of Chrome will use CSP to enforce some of the manda- ing attack on an extension if the extension treats the tory bans that we proposed and evaluated. website’s data or functions as trusted. The goal of a web attacker is to gain access to browser userdata Contributions. We contribute the following: (e.g., history) or violate website isolation (e.g., read • We establish the rate at which extensions contain another site’s password). different types of vulnerabilities, which should di- rect future extension security research efforts. Extensions are primarily written in JavaScript and • We perform the first large-scale study of the ef- HTML, and JavaScript provides several methods for con- fectiveness of privilege separation when developers verting strings to code, such as eval and setTimeout. who are not security experts are required to use it. If used improperly, these methods can introduce code • Although it has been assumed that permissions mit- injection vulnerabilities that compromise the extension. igate vulnerabilities [12, 14, 10], we are the first to Data can also execute if it is written to a page as evaluate the extent to which this is true in practice. HTML instead of as text, e.g., through the use of • We propose and evaluate new defenses. This study document.write or document.body.innerHTML. Ex- partially motivated Chrome’s adoption of a new tension developers need to be careful to avoid passing mandatory security mechanism. unsanitized, untrusted data to these execution sinks. Network attacker Network attacker (if website is HTTP) (if connection is HTTP) Extension Website Content Script Core Extension Servers [attacker] Browser API Figure 1: The architecture of a Google Chrome extension. 2.2 Chrome Extension Security Model • Isolated worlds. The isolated worlds mechanism is intended to protect content scripts from web attack- Many Firefox extensions have publicly suffered from ers. A content script
Load more

Recommended publications
  • Browser Security Information
    Browser Security Information Customer security is important to us. Our top priority is to protect the privacy of your personal account information and your financial transactions FirstLine Mortgages is leading the way in Internet banking services and uses several layers of robust security technology to help ensure the confidentiality of transactions across the Internet. The first security level begins with your Web browser. When you access FirstLine Mortgages Internet Site , your browser is checked to ensure that it meets our minimum requirements. Additionally, we only allow customers with browsers that use 128-bit encryption (one of the highest levels of browser security available today) to bank on our web site. But, even with this validation, there are other precautions you should follow to maximize your protection. You have a responsibility to ensure your own security. The browser validation will verify the browser type you are using, your browser encryption level, the version of Netscape or Microsoft browser, as well as Javascript and cookies being enabled. To access -FirstLine Mortgages Internet site , you need to use: • a Netscape browser version 4.06 or better with a minimum 128-bit encryption technology • a Microsoft browser version 4.01 SP2 or better with a minimum 128-bit encryption technology • Javascript (please see below for more information about how to check and enable Javascript support) • Cookies (see below) If your browser does not meet all of these requirements, you will need to upgrade your browser to access the FirstLine Internet Site . To upgrade your browser, select the Netscape or Microsoft button below and download the latest browser version.
    [Show full text]
  • Detecting Conflicts Among Declarative UI Extensions
    Detecting Conflicts Among Declarative UI Extensions Benjamin S. Lerner Dan Grossman Brown University University of Washington [email protected] [email protected] Abstract shows a “Hello world” example written in XUL, a simple overlay We examine overlays, a flexible aspect-like mechanism for third- targeting it, and its composition with the base document. Appli- cations like Firefox use this ability heavily to modularize their UI party declarative extensions of declarative UIs. Overlays can be de- fined for any markup language and permit extensions to define new definitions into many smaller documents. Mozilla applications expose the overlay mechanism to third par- content that is dynamically woven into a base UI document. While powerful, overlays are inherently non-modular and may conflict ties and thereby enable a uniquely powerful extension mechanism. Such third party extensions can enhance or modify the program’s with each other, by defining duplicate or contradictory UI compo- nents. We construct an abstract language to capture core overlay se- base functionality in arbitrary ways; overlays are used to integrate mantics, and design an automatic analysis to detect inter-extension the extension’s UI into the existing UI. Moreover, end users can conflicts. We apply the analysis to a case study of Firefox exten- freely install extensions to customize their browser however they sions, finding several real-world bugs. Our analysis provides low- wish. This expressiveness has led to the widespread popularity level feedback to extension developers and high-level reports to end of Firefox extensions—hundreds of millions of users have down- users. Finally, we show how variants of overlays more expressive loaded extensions billions of times [13].
    [Show full text]
  • But Were Afraid to Ask!)
    05_576593 ch01.qxd 10/12/04 9:55 PM Page 9 Chapter 1 All You Ever Wanted to Know about JavaScript (But Were Afraid to Ask!) In This Chapter ᮣ Understanding a working definition of JavaScript ᮣ Dispelling common JavaScript misconceptions ᮣ Getting started with JavaScript tools ᮣ Finding information online aybe you’ve surfed to a Web site that incorporates really cool features, Msuch as ߜ Images that change when you move your mouse over them ߜ Slideshow animations ߜ Input forms with pop-up messages that help you fill in fields correctly ߜ Customized messages that welcome repeat visitors By using JavaScript and the book you’re reading right now you can create all these effects and many more! The Web page in Figure 1-1 shows you an example COPYRIGHTEDof the kinds of things that you canMATERIAL look forward to creating for your own site. A lot has changed since the previous edition of JavaScript For Dummies came out. Perhaps the biggest change is the evolution of DHTML, or dynamic HTML. DHTML refers to JavaScript combined with HTML and cascading style sheets, and it’s a powerful combination you can use to create even more breathtak- ingly cool Web sites than ever before. 05_576593 ch01.qxd 10/12/04 9:55 PM Page 10 10 Part I: Building Killer Web Pages for Fun and Profit Figure 1-1: JavaScript lets you add interactive features to your Web site quickly and easily. Along with this increased power comes increased complexity, unfortunately — but that’s where this new, improved, better-tasting edition of JavaScript For Dummies comes in! Even if you’re not a crackerjack programmer, you can use the techniques and sample scripts in this book to create interactive Web pages bursting with animated effects.
    [Show full text]
  • Javascript Security
    Color profile: Generic CMYK printer profile Composite Default screen Complete Reference / JavaScript: TCR / Powell & Schneider / 225357-6 / Chapter 22 Blind Folio 679 22 JavaScript Security ownloading and running programs written by unknown parties is a dangerous proposition. A program available on the Web could work as advertised, but then Dagain it could also install spyware, a backdoor into your system, or a virus, or exhibit even worse behavior such as stealing or deleting your data. The decision to take the risk of running executable programs is typically explicit; you have to download the program and assert your desire to run it by confirming a dialog box or double-clicking the program’s icon. But most people don’t think about the fact that nearly every time they load a Web page, they’re doing something very similar: inviting code—in this case, JavaScript—written by an unknown party to execute on their computer. Since it would be phenomenally annoying to have to confirm your wish to run JavaScript each time you loaded a new Web page, the browser implements a security policy designed to reduce the risk such code poses to you. A security policy is simply a set of rules governing what scripts can do, and under what circumstances. For example, it seems reasonable to expect browsers’ security policies to prohibit JavaScript included on Web pages downloaded from the Internet from having access to the files on your computer. If they didn’t, any Web page you visited could steal or destroy all of your files! In this chapter we examine the security policies browsers enforce on JavaScript embedded in Web pages.
    [Show full text]
  • Guideline for Securing Your Web Browser P a G E | 2
    CMSGu2011-02 CERT-MU SECURITY GUIDELINE 2011 - 02 Mauritian Computer Emergency Response Team Enhancing Cyber Security in Mauritius Guideline For Securing Your Web Browser National Computer Board Mauritius JuJunene 2011 2011 Version 1.7 IssueIssue No. No. 4 2 National Computer Board © Table of Contents 1.0 Introduction .......................................................................................................................... 7 1.1 Purpose and Scope ........................................................................................................... 7 1.2 Audience........................................................................................................................... 7 1.3 Document Structure.......................................................................................................... 7 2.0 Background .......................................................................................................................... 8 3.0 Types of Web Browsers ....................................................................................................... 9 3.1 Microsoft Internet Explorer .............................................................................................. 9 3.2 Mozilla Firefox ................................................................................................................. 9 3.3 Safari ................................................................................................................................ 9 3.4 Chrome ..........................................................................................................................
    [Show full text]
  • Browser Security
    Transcript of Episode #38 Browser Security Description: Steve and Leo discuss the broad topic of web browser security. They examine the implications of running "client-side" code in the form of interpreted scripting languages such as Java, JavaScript, and VBScript, and also the native object code contained within browser "plug- ins" including Microsoft’s ActiveX. Steve outlines the "zone-based" security model used by IE and explains how he surfs with high security under IE, only "lowering his shields" to a website after he’s had the chance to look around and decide that the site is trustworthy. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-038.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-038-lq.mp3 Leo Laporte: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting. This is Security Now! with Steve Gibson, Episode 38 for May 4, 2006: Browser Security. Security Now! is brought to you by Astaro, makers of the Astaro Security Gateway, on the web at www.astaro.com. So finally the sun is shining in beautiful California. We have summer, or at least spring finally arrived. And, look, Steve Gibson’s wearing a tank top and shorts. No, he’s not. Steve Gibson: Well, it’s dry in Toronto, Leo. You were all chapped; I was all, like, chapped just after one day. Leo: I am. And, you know, they complain in Toronto that it’s too humid because they have the lake effect. But I guess it gets humid some other time because I – chapped is the word, exactly.
    [Show full text]
  • New Standards and Upcoming Technologies in Browser Security
    OWASP The OWASP Foundation AppSec Europe 2011 http://www.owasp.org New Standards and upcoming Technologies in Browser Security Tobias Gondrom Board member of OWASP London Chair of IETF Web Security WG [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Tobias Gondrom • 12 years information security experience • 10 years application development experience • Information Security & Risk Management, Research and Advisory, Director • Author of Standards on Digital Signatures and Secure Archiving • Chair of IETF Web Security Working Group http://datatracker.ietf.org/wg/websec/charter/ Member of the IETF Security Directorate • London OWASP chapter board member (former OWASP Germany chapter lead) www.owasp.org Browser Security • History • What’s the problem • Who & Why • What’s been done • When 3 Browser Security • History • What’s the problem • Who & Why • What’s been done • When 4 History • Internet/Arpanet Protocols were designed for robustness and exchanging information and cross reference of content… …. but not with security and active content in mind • We try to fix Application Security on the Application end ever since 5 Browser Security • History • What’s the problem • Who & Why • What’s been done • When 6 What’s the problem - OWASP Top 10 What’s the problem - OWASP Top 10 What’s the problem - No Clear separation between content and executed code - Relies on trust relationships (trust on first use / trusted source) - Weak channel protection - Authentication & leakage of credentials => Today, Web Applications try to fix this on the Application level with little support of the underlying infrastructure 9 What’s the problem Client Server Inform & Influence Security Posture 10 Think Big - What if we can….
    [Show full text]
  • Browser Security Guidance: Mozilla Firefox
    GOV.UK Guidance Browser Security Guidance: Mozilla Firefox Published Contents 1. Usage scenario 2. Summary of browser security 3. How the browser can best satisfy the security recommendations 4. Network architecture 5. Deployment process 6. Recommended configuration 7. Enterprise considerations This ALPHA guidance builds on the End User Devices Platform Security Guidance and is applicable to devices running Mozilla Firefox on a supported and well configured version of Windows. This guidance was tested on 64­bit Windows 8.1 Enterprise edition running Firefox 31.1.1 ESR. 1. Usage scenario Firefox will be used to access a variety of web services including: accessing intranet services hosted on an enterprise­provided OFFICIAL network accessing enterprise cloud services sourced from the Digital Marketplace accessing other Internet services and web resources To support these scenarios, the following architectural choices are recommended: All data should be routed through a secure enterprise VPN to ensure the confidentiality and integrity of traffic intended for the enterprise intranet All Internet data should be routed through an enterprise­hosted proxy to benefit from enterprise protective monitoring and logging solutions Arbitrary third­party extension installation by users is not permitted in the browser. A list of allowed trusted apps and extensions can be configured in Group Policy 2. Summary of browser security This browser has been assessed against each of the 12 security recommendations, and that assessment is shown in the table below. Explanatory text indicates that there is something related to that recommendation that the risk owners should be aware of. Rows marked [!] represent a more significant risk.
    [Show full text]
  • Security Analysis of Browser Extension Concepts
    Saarland University Faculty of Natural Sciences and Technology I Department of Computer Science Bachelor's thesis Security Analysis of Browser Extension Concepts A comparison of Internet Explorer 9, Safari 5, Firefox 8, and Chrome 14 submitted by Karsten Knuth submitted January 14, 2012 Supervisor Prof. Dr. Michael Backes Advisors Raphael Reischuk Sebastian Gerling Reviewers Prof. Dr. Michael Backes Dr. Matteo Maffei Statement in Lieu of an Oath I hereby confirm that I have written this thesis on my own and that I have not used any other media or materials than the ones referred to in this thesis. Saarbr¨ucken, January 14, 2012 Karsten Knuth Declaration of Consent I agree to make both versions of my thesis (with a passing grade) accessible to the public by having them added to the library of the Computer Science Department. Saarbr¨ucken, January 14, 2012 Karsten Knuth Acknowledgments First of all, I thank Professor Dr. Michael Backes for giving me the chance to write my bachelor's thesis at the Information Security & Cryptography chair. During the making of this thesis I have gotten a deeper look in a topic which I hope to be given the chance to follow up in my upcoming academic career. Furthermore, I thank my advisors Raphael Reischuk, Sebastian Gerling, and Philipp von Styp-Rekowsky for supporting me with words and deeds during the making of this thesis. In particular, I thank the first two for bearing with me since the release of my topic. My thanks also go to Lara Schneider and Michael Zeidler for offering me helpful advice.
    [Show full text]
  • Browser Security Issues and Solutions
    Browser security issues and solutions HORNYÁK ZSOLT A BIZTONSÁGOS ELEKTRONIKUS KERESKEDELEM ALAPJAI (BMEVIHIM219) Outline • Why Are Browsers Attack Targets? • Security in Google Chrome • Security in Chromium • Malicious Extensions • Cookie stealing • Vulnerabilities Resulting From the Use of HTML and JavaScript • Vulnerabilities in SSL/TLS • ZIP Bombs, XML Bombs, XML eXternal Entities Why Are Browsers Attack Targets? The web browser is our window to the world. We use it every day for tasks including: • Mail • Shopping • Social Networking • Finance Management • Business The browser has access to personal information as plaintext, so it’s inevitable that it gets attacked. Security in Google Chrome Try to minimize the damage • Every sufficiently big software contains bugs • Mozilla Firefox’s source code has approximately 3.7 million lines • Let’s try to minimize the… • Severity of vulnerabilities • Window of vulnerabilities • Frequency of exposure Reducing the severity of vulnerabilities • Web content is run within a JavaScript Virtual Machine, to protect the web sites from each other • Exploit mitigation • ASLR (Address Space Layout Randomization) • Randomizing the mapping location of key system components • DEP (Data Execution Prevention) • Marking memory pages as non-executable • SafeSEH (Safe exception handlers) • Heap Corruption Detection • Stack Overrun Detection using canaries • Using an OS-level sandbox Chrome’s architecture Charles Reis, Google; Adam Barth, UC Berkeley ; Carlos Pizano, Google: Browser Security: Lessons from Google
    [Show full text]
  • X-XSS- Protection
    HTTP SECURITY HEADERS (Protection For Browsers) BIO • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA-Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution Bug bounty student by night – 1st Private Invite on Hackerone Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure A Simple Look At Web Browsing Snippet At The Request And Response Headers Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or Why deactivated on the web browser. ➢ to reinforce the security of your web Browser browser to fend off attacks and to mitigate vulnerabilities. Security ➢ in fighting client side (browser) attacks such as clickjacking, Headers? injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc. Content / Context HTTP STRICT X-FRAME-OPTIONS EXPECT-CT TRANSPORT SECURITY (HSTS) CONTENT-SECURITY- X-XSS-PROTECTION X-CONTENT-TYPE- POLICY OPTIONS HTTP Strict Transport Security (HSTS)
    [Show full text]
  • Evaluating Effectiveness of Mobile Browser Security Warnings
    ISSN: 2229-6948(ONLINE) ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, SEPTEMBER 2016, VOLUME: 07, ISSUE: 03 DOI: 10.21917/ijct.2016.0203 EVALUATING EFFECTIVENESS OF MOBILE BROWSER SECURITY WARNINGS Ronak Shah1 and Kailas Patil2 1,2Department of Computer Engineering, Vishwakarma Institute of Information Technology, India E-mail: [email protected], [email protected] Abstract utmost goal of this paper is to investigate whether modern mobile This work precisely evaluates whether browser security warnings are browser security warnings protect users in practice. as ineffective as proposed by popular sentiments and past writings. This According to previous study, more than 50% users click research used different kinds of Android mobile browsers as well as through SSL warnings and simply ignore security measures [1]. desktop browsers to evaluate security warnings. Security experts and There are many reasons why user ignores security warnings, SSL developers should give emphasis on making a user aware of security warnings and should not neglect aim of communicating this to users. warnings and other security related warnings. Lot of work has Security experts and system architects should emphasis the goal of done on desktop browsers but still there is no effective work has communicating security information to end users. In most of the been done in case of mobile browsers. browsers, security warnings are not emphasized, and browsers simply Unfortunately, most of the mobile browsers did not show any do not show warnings, or there are a number of ways to hide those security warnings while assessing through site which has a weak warnings of malicious sites. This work precisely finds that how encryption key, a site with an invalid certificate, a site with inconsistent browsers really are in prompting security warnings.
    [Show full text]