TECHNIQUES AND TOOLS FOR SECURE WEB BROWSER EXTENSION DEVELOPMENT BY REZWANA KARIM A dissertation submitted to the Graduate School—New Brunswick Rutgers, The State University of New Jersey in partial fulfillment of the requirements for the degree of Doctor of Philosophy Graduate Program in Computer Science Written under the direction of Vinod Ganapathy and approved by New Brunswick, New Jersey October, 2015 c 2015 REZWANA KARIM ALL RIGHTS RESERVED ABSTRACT OF THE DISSERTATION TECHNIQUES AND TOOLS FOR SECURE WEB BROWSER EXTENSION DEVELOPMENT by REZWANA KARIM Dissertation Director: Vinod Ganapathy Many modern application platforms support an extensible architecture that allows the appli- cation core to be extended with functionality developed by third-parties. This bootstraps a developer community that works together to enhance and customize the basic functionality of those platforms. To ease development of such extensions, these platforms expose an API that third-parties can use to implement their functionality. For instance, Web applications make use of the browser’s Document Object Model (DOM) API, smart phone applications use the mobile platform’s SDK and browser extensions use the extension API. These APIs usually endow extension developers with privileges to access various system resources. However, to isolate the platform from any new security threats caused by these untrusted extensions, the API must ideally restrict extensions’ authority. Thus, an important challenge is to simplify ex- tension programming for the third-party developers while ensuring that these extensions do not compromise the security of the application core. This dissertation seeks to address the above issues in the context of Web browser extensions. It presents algorithms and tools to facilitate secure Web browser extension development. In particular, it makes the following two contributions. ii First, it studies and characterizes the security of a modern Web browser extension architec- ture, the Mozilla Jetpack framework — proposes solutions to improve the security of the archi- tecture and extensions developed on top of it. It presents Beacon, which leverages JavaScript- level information flow technique to detect unsafe programming practices in browser extensions. Upon analyzing 68000 lines of JavaScript code from modern extension framework and real world extensions, Beacon found 36 instances of potentially unsafe programming practices. Second, it addresses the problem of porting unsafe legacy extensions to modern, privilege- separated extension architectures. It presents Morpheus, which applies program analysis and software engineering techniques that refactor legacy vulnerable extensions for use with modern extension frameworks, the Jetpack framework in particular. Morpheus also enables fine-grained control over extensions via a runtime policy enforcement engine. Morpheus has been applied to successfully port 52 legacy Mozilla extensions to the Jetpack framework. iii Acknowledgements First and foremost, I would like to thank my graduate advisor, Professor Vinod Ganapathy, for his constant support, guidance and motivation. His insights and feedbacks have been instru- mental in shaping several ideas of my thesis. Without his patience and persistence this thesis would not have been a reality. At a critical juncture of my personal life, he has been com- passionate and flexible, which has allowed me to attempt a work-life balance during the final year of my PhD. I am also thankful to Professor Liviu Iftode, Professor Ulrich Kremer, Profes- sor Santosh Nagarakatte, and Professor Long Lu (Stony Brook University) for their invaluable suggestions on improving my dissertation. I have benefited greatly from my interaction with them. I have had the honor of working closely with Dr. Nishant Sinha (IBM Research) and Pro- fessor Chung-chieh Shan (Indiana University). Collaboration with them has greatly influenced my thought process as a researcher. Their passion and dedication towards work has inspired me to work harder. I have also had the privilege to spend a Summer at Mozilla and work with Dr. David Herman and the Mozilla Jetpack team whose insights and discussions were crucial to my research on browser extensions. I would also like to thank Dr. Randy Smith (Sandia National Labs) for his contribution to my research on network security. I feel fortunate to have shared my time at Rutgers with several excellent colleagues. I would like to express my gratitude to my peers, Mohan Dhawan and Liu Yang, for contributing their expertise in my research. Working with them in multiple research problems has been a rewarding experience. I am grateful to many other members at Disco-Lab, Rutgers University, especially Shakeel Butt, Amruta Gokhale, Nader Boushehrinejadmoradi, Lu Han, Daeyoung Kim, Hai Nguyen, Ruilin Liu, and Daehan Kwak for their valuable discussions and feedback on my research projects and presentations. Coming to the USA on my own and living far away from my family, for the first time, was iv not easy. I am indebted to my friends at Rutgers for their emotional and logistical supports over the years. They have hardly let me feel that I am in a foreign country and have helped me to sail through this long difficult journey. Especially Amruta Gokhale, Anwesha Chaudhury, Shreyasee Mukherjee, Priya Govindan, Chathra Hendahewa, and Rummana Rahman – I feel blessed to have them through thick and thin in my graduate life. Friends from my undergraduate university and school friends, living in various parts of the world, have been distant sources of support and inspiration. I would also like to thank the Bangladeshi families who have extended their helping hand when needed. Special thanks to my friend Sayema and her parents for making me feel at home whenever I visited them in New York. My deep gratitude to all the people from various stages of academic life who have taught me academic materials and programming. I am also thankful to those who have helped me in developing driving and culinary skills. Surviving alone in the USA would have been extremely difficult otherwise. My biggest source of strength and inspiration is my family. My parents, Md. Rezaul Karim and Ruby Akter Begum, have always taken a keen interest on my academic progress, and put my academic need ahead of their own comfort and happiness. Without their unconditional support, I would not have been able to reach this level. Words are not enough to express my gratitude to my mother. She has always allowed me to follow my dreams and truly been a protective shield. She has never stopped believing in me and reinforced my confidence, even when I would occasionally be plagued with self-doubt. I owe all my achievements to her. My brother, Md. Tahsin Karim Nabil, though much younger than me, has been extremely helpful in taking care of my parents and giving them much needed support while I immersed myself into work. My grandparents, uncles, aunts, cousins and even distant relatives have always taken pride in my academic achievements and their affection has been truly invigorating. Their excitement on my PhD accomplishments is particularly heartwarming. I thank my youngest uncle for instilling the practice of being self-challenging since childhood. I am also thankful to my husband, Istiaque Ahmed, for his patience and support while I was working on my dissertation. Finally, I would like to thank the Almighty for the successful completion of my PhD. v Dedication To my mother, Ruby Akter Begum, for everything. vi Table of Contents Abstract ::::::::::::::::::::::::::::::::::::::::::: ii Acknowledgements :::::::::::::::::::::::::::::::::::: iv Dedication ::::::::::::::::::::::::::::::::::::::::: vi List of Tables :::::::::::::::::::::::::::::::::::::::: x List of Figures ::::::::::::::::::::::::::::::::::::::: xi 1. Introduction :::::::::::::::::::::::::::::::::::::: 1 1.1. Extensibility of the Web Browser.........................1 1.2. Browser Extension Security............................2 1.3. Two Models of Extension Development.....................3 1.4. Motivation.....................................6 1.5. Simplifying Secure Extension Development...................8 1.6. Summary of Contributions............................9 1.7. Contributors to the Dissertation.......................... 10 2. Background :::::::::::::::::::::::::::::::::::::: 12 2.1. Core Web Browser Technologies......................... 12 2.2. Browser Specific Technologies.......................... 13 2.3. Web Application Security............................. 14 2.4. Web Browser Extension.............................. 14 2.4.1. Legacy Extension Architecture...................... 16 2.4.2. Modern Extension Frameworks..................... 17 3. An Analysis of the Mozilla Jetpack Extension Framework ::::::::::::: 22 vii 3.1. Problem...................................... 22 3.2. Background and Motivation........................... 24 3.3. Static Analysis of Jetpack Modules and Extensions............... 28 3.3.1. Stages of the Analysis.......................... 30 3.3.2. Capability Flow: A Concrete Example.................. 34 3.4. Implementation.................................. 37 3.5. Results....................................... 38 3.5.1. Capability Leaks............................. 38 3.5.2. Capability Use.............................. 43 3.5.3. Over-privileged Modules......................... 47 3.6. Summary..................................... 48 4. Porting Legacy Mozilla Extensions to the Jetpack Framework :::::::::: 50 4.1. Problem.....................................