Chrome extensions threat analysis and countermeasures
2 likes510 views
This document discusses threats posed by malicious Chrome extensions and proposes countermeasures. It begins by noting that extensions have been used to increase attacks in other browsers. While Chrome has security models like least privilege and isolation, experiments showed extensions can still enable attacks like email spamming, DDoS, and phishing. The document analyzes Chrome's permission and trust models, finding content scripts have too much privilege. It concludes by proposing a strengthened permission model following least privilege more strictly to improve security against malware extensions.
![UndifferenIated
Permissions
Extension
(HTML/Javascript)
Render
Content
Script
(java
script)
Isolated
World
Process
boundary
JS
Cookies
Localstorage
Web
server
DOM
permissions”:
[“hOp://*/
*”
]
• An
extension
may
inject
content
script
to
many
origins
– It
does
not
need
to
file
HTTP
reqs
to
all
origins
– But
only
to
a
dedicated
one,
e.g.,
a
translaIon
web
service
• When
an
origin
is
assigned
to
extension,
all
components
get
the
full
privileges
– Extension
core
can
file
cross-‐site
reqs
freely
– Content
script
can
arbitrarily
modify
the
DOM,
and
file
cross-‐sit
reqs
• Privilege
separaIon
is
not
fine-‐grained
enough
19
out
of
30
most
popular
extensions
have
this
type
of
over
privileges](https://image.slidesharecdn.com/chromeextensions-threatanalysisandcountermeasures-160620171039/85/Chrome-extensions-threat-analysis-and-countermeasures-17-320.jpg)
Chrome extensions threat analysis and countermeasures
- 1. Chrome Extensions: Threat Analysis and Countermeasures Lei Liu, Xinwen Zhang*, Guanhua Yan*, and Songqing Chen George Mason University Huawei R&D Center Los Alamos NaIonal Laboratory NDSS’12 * Does not represent employer’s opinion
- 2. AOacks via Extensions • Extension is the vehicle for increasing aOacks • BHO/add-‐on is the one of the techniques used by many spyware writers in IE. • Kida et al’05, CERT’05, Egele’07, Li’07, Guha’11 • Abusing of Firefox extensions has been widely recognized and studied in literature • Defcon’09, Ter-‐Louw’08, Dhawan’09, Bandhakav’10, Djeric’10, Guha’11
- 3. AOacks via Chrome Extensions • Buggy Chrome extensions have been idenIfied recently • 27 out of 100 leak data – hOp://www.adrienneporterfelt.com/blog/?p=226_ • Malicious extensions have appeared
- 4. Problem Statement • Why Chrome extension? – Chrome has built-‐in security model for browser architecture and extension • Is current Chrome extension architecture good enough? – ParIcularly with the consideraIon of malicious extensions • Easy to launch malicious extensions: – It is a difficult task to saniIze rapidly increasing extensions in Google Chrome Web Store with slow reviewing process – Users are free to download/install extensions from many (known/unknown) host servers – Strong incenIve for aOackers, e.g., • harvest sensiIve content in web pages • Modify web search content • Google takes acIons against malicious extension developers – singup fee for developers – Domain verificaIon for developers • Problem: Can we have a technical soluIon? – Or improvement of current permission model for beOer security with malware extension?
- 5. ContribuIons • We demonstrate several aOacks with malicious Chrome extensions through experimental implementaIon • We do security analysis of the permission model of Chrome extension – With the assumpIon of malicious extensions • We propose security enhanced extension permission model and enforcement mechanism – Following the principles of least privilege and separaIon of privilege in more strict way
- 6. Chrome Extension Architecture Extension (HTML/Javascript) NaIve code Process boundary Process boundary installaIon Extension gallery Render Content Script (java script) Isolated World DOM JS Cookies Localstorage Web server
- 7. Chrome Extension Security Model • Least Privilege – Pre-‐defined permission set (e.g.,. To access web sites, browser tab, bookmarks, history, …) – Each extension declares permissions required – User authorizes permissions at installaIon Ime • Privilege SeparaIon – Different permissions for different components of extension – Content script can interact with web content, not browser modules – Extension core has more privileges, but insulated from web pages • Strong isolaIon – Same origin policy • Each extension has unique origin • Accessing other origins requires cross-‐site permissions • Inject content script requires cross-‐site permissions – Process-‐level isolaIon: extension core runs in separated process from renderer and browser – Within a renderer process, content script runs in isolated world from Javascript of web page
- 8. Chrome Extension Trust Model • The main trust model of Chrome extension assumes trusted but buggy extensions • But malicious web pages • Therefore the security objecIves are mainly for restricIng web pages to access browser resources via extensions • And confine the damage propagaIon if possible
- 9. Experimental AOacks • We develop a malicious extension as a bot – from Chrome 7 to the latest – does email spamming, DDoS, and phishing aOacks easily • Through aOacking web pages – Receive commands from bot master with built-‐in update mechanism of Chrome extension • No security check for update
- 10. Email Spamming update site Browser Extension Webmail server Upload update manipulate POST download update POST
- 11. Password Sniffing
- 12. DDoS AOack
- 13. Security Analysis • Trust Model: – We assume browser kernel and pulgins are trustworthy – Sandbox mechanism provided by OS works well – NaIve code for extensions is sandboxed – Web apps are trusted • Threat model: malicious extensions – Extension core – Content scripts
- 14. Cross-‐site Forgery with Content Script Extension (HTML/Javascript) Render Content Script (java script) Isolated World DOM Process boundary JS Cookies Localstorage Web server • A content script injected into web page can arbitrary access the origin of the page • All user credenIals associated with the origin can be included in an HTTP req • Since the origin of the content script is usually not that of the web page – This is a Cross-‐site Forgery Req – The email spamming aOack leverages this • Default privileges of content script are not least
- 15. Cross-‐site Requests with Extension Core Extension (HTML/Javascript) Render Content Script (java script) Isolated World Process boundary Web server Content Script (java script) Isolated World Process boundary • Cross-‐site reqs via content scripts through extension core • The extension core can file cross-‐site HTTP reqs to mulIple origins – Cross-‐site permissions are authorized in order to inject content scripts. • Default privileges of extension core are not least • No differenIated permission of extension core and content script – Inject scripts vs. cross-‐site reqs
- 16. Cross-‐site Requests with Content Scripts Extension (HTML/Javascript) Render Content Script (java script) Isolated World Process boundary JS Cookies Localstorage Web server DOM • Without cross-‐site permission, a running content script can only make HTTP reqs to the origin of the tab page • However, since content script has full privileges of DOM, it can file unlimited cross-‐site HTTP reqs to arbitrary origin, e.g., – Insert iframe – Load img – Modify src of DOM objects – With user credenIals included in the req • Loading of new DOM objects results in cross-‐site reqs • Privilege to access DOM is not least for content script
- 17. UndifferenIated Permissions Extension (HTML/Javascript) Render Content Script (java script) Isolated World Process boundary JS Cookies Localstorage Web server DOM permissions”: [“hOp://*/ *” ] • An extension may inject content script to many origins – It does not need to file HTTP reqs to all origins – But only to a dedicated one, e.g., a translaIon web service • When an origin is assigned to extension, all components get the full privileges – Extension core can file cross-‐site reqs freely – Content script can arbitrarily modify the DOM, and file cross-‐sit reqs • Privilege separaIon is not fine-‐grained enough 19 out of 30 most popular extensions have this type of over privileges
- 18. Security Enhanced Chrome Extensions • Micro-‐privilege management • DifferenIate DOM elements with sensiIvity
- 19. Micro-‐privilege Management • More fine-‐grained permission definiIon and enforcement • Fine-‐grained permission differenIaIon for extension core and content script – Permission specs are separated from different components • Least default privileges – Content script cannot introduce new origin to DOM – no HTTP req to tab origin
- 20. Example Permission Spec • Permissions for a translaIon extension:
- 21. DifferenIaIng DOM Elements • To further reduce possible sensiIve data leakage by content script, DOM elements can be differenIated with sensiIvity levels • A web app developer can idenIfy sensiIve informaIon in a web page, e.g., – High level data: only can flow to web origin – Medium level: may flow to authorized origins – Low level (default): can flow to any origin • An extension developer can specify permissions accordingly: – E.g., HIGH for username/pw, MEDIUM for other user info
- 22. ImplementaIon • We have implemented the micro-‐privilege management and spec. • For DOM sensiIvity, we develop a helper extension (trusted): – To idenIfy and label sensiIve DOM elements – Re-‐write DOM element properIes • According to configurable dicIonary – Chrome enforces permission check based on extension manifest – Explicitly mark sensiIve info by web app developer is not pracIcal right now
- 23. EvaluaIons
- 24. EvaluaIon • We selected 30 most popular extensions from Google extension gallery – 24 of them have granted network access – 19 of them request higher privileges than necessary (hOp://*/*) • Our implementaIon easily changes their spec to reduce privileges
- 25. EvaluaIon • Our implementaIon blocks all experimental aOacks on the bot extension.
- 26. Conclusions • Demonstrated spamming, phishing, and DDoS aOacks with implemented Chrome extensions • Analyzed the permissions model that causes these problems • Proposed security enhanced permission model and enforcement for Chrome extension architecture – Micro-‐privileged permission management and spec – DifferenIate content script’s permission with DOM sensiIvity levels
- 27. Thank You! Q&A