verified security for browser extensions
DESCRIPTION
Verified Security for Browser Extensions. Arjun Guha, Matthew Fredrikson, Ben Livshits, and Nikhil Swamy. Brown University. University of Wisconsin Madison. Microsoft Research. Curated Extension Gallery. 1/3 rd of Firefox users run extensions (~34 million users) - PowerPoint PPT PresentationTRANSCRIPT
1
Verified Security for Browser Extensions
Arjun Guha, Matthew Fredrikson, Ben Livshits, and Nikhil SwamyBrown
UniversityUniversity of Wisconsin
MadisonMicrosoft Research
2
3
1. 1/3rd of Firefox users run extensions (~34 million users)
2. Popular Chrome extensions have thousands of users
Curated Extension Gallery
4
EXTENSION SECURITY
5
mailto:[email protected]
https://mail.google.com/mail/?view=cm&tf=1&[email protected]&cc=&su=&body=&fs=1
Change mailto: linksChange links to evil.com?
6
Google Dictionary
Service
Sends selected word to Google
evil.com
Send my email to evil.com?
7
Access Control in Chrome"permissions": [ "tabs", "http://www.twitter.com/*", "http://api.bit.ly/",]
2. Extension runs on these URLs
1. Sensitive APIs
Barth et al. Protecting Browsers from Extension Vulnerabilities. NDSS 2010.
8
Policy analysis:Accessible URLs
Access to all data onall websites
1,137 extension policies
Access toall data on one website
2—86 websites
9
30% (of 1,137) have access to your data on all websites
10
Policy analysis:Access to history
FullHistoryAccess
1,137 extension policies
why?
11
"permissions": [ "http://???"]
"permissions": [ "http://*/*"]
11
desired, least-privilege security policy is inexpressible
"permissions": [ "http://???"]
"permissions": [ "http://*/*"]
Rewrite mailto: links on all sites
Sends selected word to Google from any website
12
Access toall websites
Full History Access
Access toall websites
Access to all data onall websites
13
IBEX: Rethinking Browser Extension Security
1. Cross-platform extension model
2. Expressive policies with formal semantics
3. Secure-by-construction extensions
4. Empirical evaluation: 17 varied extensions proved secure
14
Extension in Fine
Type-safe high-level language
15
Developers• Write extension and
policy in Fine• Use tools to ensure
extension conforms to policy
Extension in FineExtension policy
FineVerifier & Compiler
Policy Visualizer
C3Users• Trust curated extension gallery• Install approved extensions
Gallery• Uses tools to ensure
extension conforms to policy• Uses visualizer to help
understand policy
Secure Browser API
ML/F# dialect with a type system for
program verification
16
Extension in FineExtension policy
FineVerifier & Compiler
C3
Secure Browser API
EXAMPLE: ONLY READ TEXT IN <HEAD>
17
type elt
val getInnerText : elt -> string
val getTagName : elt -> string
DOM
API
Native DOM elements, abstract to Fine
Implemented in Browser
18
type elt
val getInnerText : { e:elt | CanRead e } -> string
val getTagName : e:elt -> { s:string | EltTagName e s }
Secu
re D
OM
API
Precondition;DOM permission
Postcondition; DOM predicateONLY READ TEXT IN <HEAD>
19
type elt
val getInnerText : { e:elt | CanRead e } -> string
val getTagName : e:elt -> { s:string | EltTagName e s }
" (e:elt) . EltTagName e "head" CanRead e
Secu
re D
OM
API
Polic
y
20
type elt
val getInnerText : { e:elt | CanRead e } -> string
val getTagName : e:elt -> { s:string | EltTagName e s }
" (e:elt) . EltTagName e "head" CanRead e
let read e = if getTagName e = "head" then getInnerText e else "not <head>"
Secu
re D
OM
API
Code
Polic
y Fine checks pre- and post-conditions statically
1. No manual code audit(only policy audit)
2. No security exceptions (robust) and no runtime overhead (fast)
EltTagName e "head"
21
Predicates Permissions
DocDomain doc string CanReadSelection doc
EltDoc elt doc CanAppend elt
EltTagName elt string CanEdit elt
EltTextValue elt string CanReadValue elt
EltAttr elt string string CanWriteValue elt
EltParent elt elt CanReadAttr elt string
UrlScheme url string CanWriteAttr elt string string
UrlHost url string CanRequest string
UrlPath url string
UrlQuery url list<string * string>
DOM
Network requests
Event handlers, selected text, etc.
various other predicates and permissions
Library of Predicates and Permissions
22
WHAT DOES “SECURE” MEAN?1. Formal Model
2. Policy Visualization
23
FORMAL MODEL1. Formal Model of core browser + reference monitor
• Key element: interaction of extension with JavaScript on page
2. Theorem: well-typed programs do not signal reference monitor errors• Reference monitor not needed• Relies on type soundness of Fine
3. Assumption: tag names and attribute names are public metadata
4. Analysis of security property• Strength: Robust safety in the presence of JavaScript side effects• Weakness: admits collusion between malicious JavaScript on a page
and extension
24
SECURE^
EXAMPLE: FACEBOOK EXTENSION
25
Question: What is the security policy?
Bookmarks my friends’ Websites
26
Can Read Websites
Can Read Names
Principle of
Least Authority
(and ability to bookmark—elided)
27
Can read <a> tags can read links to likes, dislikes, groups, posts, friends, …
Policy: Can read <a> tags
28
Policy: Can read <td class="data"> tags
29
Policy: can read <td class="data"> tags, if adjacent to<th class="label">Website:</th>
" (data:elt), (label:elt) . EltSibling data label && EltAttr label "class" "label" && EltAttr data "class" "data" && EltTextValue label "Website:" CanRead data
30
" (e:elt) . CanReadAttr e "class"
" (label:elt), (labelText:elt) . EltParent labelText label && EltAttr label "class" "label" CanReadValue labelText
" (data:elt),(label:elt), (labelText:elt),(website:elt), (parent:elt) . EltParent data parent && EltParent label parent && EltParent website data && EltParent labelText label && EltAttr label "class" "label" && EltTextValue labelText "Website:" CanReadAttr website "href"
POLICY VISUALIZATION
Can we help extension reviewers read this?
Interpret policies as selectors (e.g., XPath, jQuery, or CSS)
31
32
Curator still needs to read the policy
33
EMPIRICAL EVALUATION
34
Extension Name Limited Extension Behavior
Gmail checker Rewrites “mailto:” links to open Gmail compose page
Dictionary lookup Queries online dictionary with selection; displays definition in a popup
PrintNewYorker Rewrites internal links to go directly to print view
Bookmarking Sends selection to delicious.com
Google Reader client Sends RSS feed links to Google Reader
Facebook miner Sends friends’ Web addresses to delicious.com
JavaScript toolbox Edits selected text
Password manager Stores and retrieves passwords on each page
Magnify under mouse Modifies the CSS on the page
Short URL expander Sends URLs to longurlplease.com
Typography Modifies <input> elements
Precise, fine-grained policies
35
Name Verification Time (sec)
Fine LOC JS LOC
PrintNewYorker 6.2 45
Dictionary lookup 6.6 70
Facebook + Delicious 10.7 142
Password manager 5.7 52
Magnifier 6.0 23
Bookmarking 5.8 19 6,202
Gmail checker 6.5 43 7,647
Google Reader client 6.5 47 1,055
JavaScript toolbox 6.3 19 1,878
Short URL expander 5.2 22 494
Typography 6.2 44 18,458
Twitter Miner 6.4 36
Bing Miner 6.8 35
Netflix Miner 7.7 110
Glue Miner 9.5 101
DOM + Networkauthorization
DOM + history + storage + dataflow (next
presentation)
authorization
Expe
rimen
tal R
esul
ts
36
Developers• Write extension and
policy in Fine• Use tools to ensure
extension conforms to policy
Extension in FineExtension policy
FineVerifier & Compiler
Policy Visualizer
C3Users• Trust curated extension gallery• Install approved extensions
Gallery• Uses tools to ensure
extension conforms to policy• Uses visualizer to help
understand policy
Secure Browser API
Available online: http://research.microsoft.com/fstar
37
Extra slides
38
<html>...<div id="phone">+1 (401) 484-8019</div>...<input type="password" value="redbull64" />...</html>
Policy: "(e:elt).EltAttr e "id" "phone" CanRead e
let e = getElementById "phone"let phoneNumber = getTextValue e Verified Fine code
var phone = document.getElementById("phone");var pass = document.getElementsByTagName("input")[0];phone.innerText = pass.value
JavaScript on the page
let password = getTextValue e Verified Fine code
1. Monotonic policies; no dynamic revocation2. Authorization policies, not information flow
39
+ Z3
Extension code
FINEType-checker &
Compiler
Policy +
C3
DCIL Binary
DCIL Verifier
JavaScript extension
40
Remove friend?!
Curator still needs to read the policy
41
Can we secure existing extensions?
42
Web Page
Web Server
Content script
Extension core
(JavaScript)
Sandbox
Message Passing
HTTP
DOM Interactions
Verified
Chrome Extension Model
Rewrite in Fine