Upload
manning
View
40
Download
2
Tags:
Embed Size (px)
DESCRIPTION
An Analysis of the Mozilla Jetpack Extension Framework. Rezwana Karim , Mohan Dhawan , Vinod Ganapathy Computer Science, Rutgers University. Chung-cheih Shan Indiana University. ECOOP ’ 12. 6/1/2012. Browser Extensions. Enhance browser functionality Customize to meet user need - PowerPoint PPT Presentation
Citation preview
An Analysis of the Mozilla Jetpack Extension Framework
Rezwana Karim, Mohan Dhawan, Vinod GanapathyComputer Science, Rutgers University
Chung-cheih Shan Indiana University
6/1/2012 ECOOP’12
Browser Extensions
• Enhance browser functionality• Customize to meet user need
• Unrestricted access to privileged resource
Rezwana Karim 2
Problems in legacy extensions
3Rezwana Karim
www.evil.com
• Insecure Programming Practice
Exploitable vulnerability
[Barth et al., NDSS‘10] [Bhandhakavi et al., Usenix Security‘10]
Jetpack• Mozilla’s new extension development
technology
• Extension structured as a collection of modules
• Recommends – Principle of Least Authority (POLA)
– Privilege separation
• Upfront permission specification
• Goal : Limit ill effects of vulnerable extensions
4Rezwana Karim
Structure of Weather extension in Jetpack
Rezwana Karim 5
Sensitive resourcesSensitive resources
Core modules FileFile NetworkNetwork
MainMain Extension modules
Modularity does not guarantee security
6
FileFile NetworkNetwork
MainMain
Rezwana Karim
Analysis of Jetpack framework
• Goal: Verifying conformance to security principles in Jetpack modules– Focus on adherence to POLA and privilege
separation
• Beacon: Capability flow analysis tool– 36 programming bugs in real-world
extensions– 10 instances of POLA violation– Results acknowledged by Mozilla
7Rezwana Karim
Module Interaction
8
var file = require(“file”);file.readFile (“zipCodeFile”);. . .
Main
var fileSystemPtr = accessToFileSystem();exports.readFile = function readFile(fileName){
//read the content of fileName. . .// return the content. . .
};
File
Rezwana Karim
Capabilities
Rezwana Karim 9
• Privilege to access sensitive resources• Bookmark, cookies, file, password, network etc.
• Ways to acquire
var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr;
File
var fileSystemPtr = require(“File”).fileSystemPtr;
Main
Capability leaks• Inadvertent leaks of pointers to privileged
resources– Direct references to privileged resources
– Functions returning references to privileged resources
10Rezwana Karim
var fileSystemPtr = accessToFileSystem();
exports.fileSystemPtr = fileSystemPtr;
exports.getFileSystem = function(){ return fileSystemPtr;}
File
Detecting capability leaks
11
FileFile NetworkNetwork
MainMain
Rezwana Karim
Capability flow analysis
• Static analysis of JavaScript modules
• Information flow – Taint: capability
– Source : privileged resource access
– Sink: exports interface
• Call graph based
• Context and Flow insensitive– Static Single Assignment (SSA) representation
gives a degree of flow-sensitivity
12Rezwana Karim
Capability flow in object hierarchy
13
aa
xx yy
pp zz
Rezwana Karim
var a = { x : object, y : { p : fileSystemPtr, z : object }}
Implementation of Beacon
14
Call graph generatorCall graph generator
SSA analyzer
SSA analyzer
Inference engine
Inference engineSSA
format
Imported module
summaries
Imported module
summaries
Rules for JS to Datalog translation
Taintinference
rules
Initial facts
Points-torules
Heap allocation
Rezwana Karim
Capabilityanalysis report
• 2.8k lines of Java, Datalog• Tools Used : WALA, DES
Capability flow in object hierarchy
15
aa
xx yy
pp zz
ptsTo(va, ha)
ptsTo(vy, hy)
ptsTo(vz, hz)ptsTo(vp, hp)
ptsTo(vx, hx)
heapPtsTo(hy, z, hz)
heapPtsTo(ha, y, hy)
heapPtsTo(hy, p, hp)
var a ={ x : object, y:{ p: fileSystemPtr, z: object }}
isTainted(hp, file)
isTainted(hy, file)
isTainted(ha, file)
Rezwana Karim
store(vy, p, vp)heapPtsTo(ha, x, hx)
[Gatekeeper, Guarnieri et al., Usenix Security’09]
Evaluation goals
• Evaluate Jetpack architecture, adherence to two principles– Privilege separation– Principle of least authority (POLA)
• Identify modules– Capability leaks– Violate privilege separation– Overprivileged; violate POLA
16Rezwana Karim
Evaluation
• Over 600 Jetpack modules– 77 core modules– Modules from 359 Jetpack extensions– 68k lines of JavaScript code
• Performance– On average, couple of minutes, 200 MB – tab-browser.js (~25 KB)
• 30mins and 243MB
17Rezwana Karim
Capability leak
• 36 Leaks in over 600 modules– 12 in 4 core modules– 24 in extension modules
18
Core Modules Capability Leak Mechanism Essential
tabs/utils Active tab, browser window and tab container
Function return yes
window-utils Browser window Function return yes
xhr Reference to the XMLHttpRequest object
Property of this object
no
xpcom Entire XPCOM utility module
Exported property no
Rezwana Karim
Capability leaks: extension module
19Rezwana Karim
• 24 leaks in 359 extensions
Extension Capability Count
Bookmarks Deiconizer
Sensitive resource service module 1
Browser Sign In Window, document 2
Customizable Shortcut
Preference, DOM, window 3
Firefox SharePreference, window, database, observerdatabase, stream, network
10
Most Recent Tab Preference, window 2
Open Web Apps Preference, window, database, observer 4
Recall Monkey IOService, favIcon 2
None of the leaks are required for functionality
Accuracy: Capability leak
• No False Positive• May miss some leaks
– Dynamic features• Iterator, generator
– Unsupported JS constructs• for..each, yield, case statement over a
variable
– Unmodeled JS constructs• eval, with
– Latent bugs
20Rezwana Karim
Violation of privilege separation
21Rezwana Karim
26 modules in 19
extensions
Accuracy: Capability usage
• 53 extensions directly use sensitive resources
• Beacon detects 46 out of 53
• Missed 7 are in event-handling code
22Rezwana Karim
Violation of POLA
• Beacon generates 18 warnings, 7 false positive
23
Core module Privilege Severity
file Directory service Moderate
hidden-frame Timer None
tab-browser Errors None
content/content-proxy Chrome Critical
content/loader File Moderate
content/worker Chrome Critical
keyboard/utils Chrome Critical
clipboard Errors None
widget Chrome Critical
windows XPCOM, apiUtils Critical
Rezwana Karim
Violationinstancesare fixed
byMozilla
Related Work
• Information flow analysis of extension– SABRE [Dhawan et al., ACSAC’09]
– VEX [Bhandhakavi et al., Usenix Security‘10]
• Static analysis of JavaScript– Gatekeeper [Guarnieri et al., Usenix Security’09]
– ENCAP [Taly et al., Oakland‘11]
• Study of Chrome extension architecture– Chrome extension analysis [Yan et al., NDSS’12]
24Rezwana Karim
Summary
• Beacon, a system for capability flow analysis of JavaScript modules
• Analyze Jetpack extension development framework– 36 capability leaks in more than 600 modules– 10 overprivileged core modules– Results acknowledged by Mozilla
• Applicable to node.js, Harmony modules
25Rezwana Karim
Thank you
26Rezwana Karim
Questions
Rezwana Karim 27
Sensitive resources usage
Rezwana Karim 28
Capability Usage
• Top 10 XPCOM interfaces
29Rezwana Karim
Suggestion
• Dynamic enforcement of Manifest– Prevent access of unrequested sensitive
resources
• Deep freezing of exports object– Prevent leak through event-handlers
30Rezwana Karim
Template
Entity Type Capability
fileSystemPtr Object File
getFileSystemPtr Function File
Rezwana Karim 31
Proof of concept example: Customize-shortcut
const {Cc, Ci} = require("chrome");
let Preferences = {
branches: {},
.. .
getBranch: function (name) {
let branch = Cc["@mozilla.org/preferences-service;1"]
.getService(Ci.nsIPrefService).getBranch(name);
…
return this. branches [name] = branch;
}, ...
};
exports. Preferences = Preferences;
32
Modular approach
Rezwana Karim 33
• Break down extension into modules
• JavaScript modules– Implement a certain functionality– Self-contained– Isolated; communicate via module interfaces
• Limit vulnerability effect
Capability Usage
• Top 10 core modules
34Rezwana Karim
Datalog relations: points-to analysis
35Rezwana Karim
JavaScript statement processing
36Rezwana Karim
Inference Rules
37Rezwana Karim
Pre-processing(cont’d)• Desugar JS construct
– Destructuring assignment, let, const, lambda function
• Code simplification
38
Code Desugared Code
var {Cc,Ci} = require(“chrome”);
var Cc = require(“chrome”).Cc;var Ci = require(“chrome”).Ci;
Code Simplified Code
let branch = Cc["@mozilla.org/ preferences-service;1”] .getService(Ci.nsIPrefService) .getBranch(name);
let branch = MozPrefService() .getBranch(name);
Rezwana Karim
Capability flow in object hierarchy
39
aa
xx yy
pp zz
ptsTo(va, ha)
ptsTo(vy, hy)
ptsTo(vz, hz)ptsTo(vp, hp)
ptsTo(vx, hx)
heapPtsTo(hy, z, hz)
heapPtsTo(ha, y, hy)
heapPtsTo(hy, p, hp)
var a ={ x : object, y:{ p: fileSystemPtr, z: object }}
isTainted(hp, file)
isTainted(hy, file)
isTainted(ha, file)
Rezwana Karim
store(vy, p, vp)heapPtsTo(ha, x, hx)
Capability flow analysis using Datalog
Statement Example Code Generated Facts
OBJECT LITERAL
a = { } ptsTo(va, ha)
STORE v1.f = v2 store(v1, f, v2)
40Rezwana Karim
Basic Rules
heapPtsTo(H1, F, H2) :- store(V1, F, V2), ptsTo(V1, H1), ptsTo(V2, H2)
Taint Propagation
isTainted(H1, P) :- heapPtsTo(H1, F, H2 ), isTainted(H2 , P)
[Gatekeeper, Guarnieri et al., Usenix Security’09]
Capability flow in object hierarchy
41
aa
xx yy
pp zz
ptsTo(va, ha)
ptsTo(vy, hy)
ptsTo(vz, hz)ptsTo(vp, hp)
ptsTo(vx, hx)
heapPtsTo(hy, z, hz)
heapPtsTo(ha, y, hy)
heapPtsTo(hy, p, hp)
var a ={ x : object, y:{ p: fileSystemPtr, z: object }}
isTainted(hp, file)
isTainted(hy, file)
isTainted(ha, file)
Rezwana Karim
store(vy, p, vp)heapPtsTo(ha, x, hx)
JavaScript statement processingStatement Example Code Generated Facts
OBJECT CONSTRUCTION
v = new v0(v1, v2, ..., vn) ptsTo(v, hfresh) prototypeOf(hfresh, d) :- ptsTo(v0, hmethod), heapPtsTo(hmethod, prototype, d) for z 1...n, ∈generate actual(i, z, vz)callRet(i, v)
FUNCTION CALL v = v0(vthis, v1, v2, ..., vn) ptsTo(v, hfresh) for z 1...n, this, ∈generate actual(i, z, vz)callRet(i, v)
42Rezwana Karim