An Analysis of the Mozilla

internalchildlikeInternet και Εφαρμογές Web

12 Νοε 2013 (πριν από 4 χρόνια)

94 εμφανίσεις

An Analysis of the Mozilla
Jetpack Extension Framework

Rezwana Karim
, Mohan
Dhawan
,
Vinod

Ganapathy

Computer Science, Rutgers University


Chung
-
cheih Shan


Indiana University

6/1/2012

ECOOP’12

Browser Extensions


Enhance browser functionality


Customize to meet user need








Unrestricted
access to privileged resource







Rezwana Karim

2

Problems in legacy extensions









3

Rezwana Karim

www.evil.com


Insecure Programming
Practice



Exploitable

vulnerability


[Barth
et al.
, NDSS

10] [Bhandhakavi
et al.
, Usenix Security

10]

Jetpack


Mozilla’s new extension development
technology


Extension structured as a collection of
modules


Recommends


Principle of Least Authority (POLA)


Privilege separation


Upfront permission specification


Goal : Limit ill effects of vulnerable extensions




4

Rezwana Karim


Structure of Weather extension
in Jetpack

Rezwana Karim

5

Sensitive resources

Core
modules

File

Network

Main

Extension
modules

Modularity does not guarantee
security



6

File

Network

Main

Rezwana Karim

Analysis of Jetpack framework


Goal: Verifying conformance to security
principles in Jetpack modules


Focus on adherence to POLA and privilege
separation


Beacon: Capability flow analysis tool


36 programming bugs in real
-
world
extensions


10 instances of POLA violation


Results acknowledged by Mozilla


7

Rezwana Karim


Module Interaction

8


var file = require(“file”
);

file.readFile (“
zipCodeFile

);

. . .

Main



var fileSystemPtr = accessToFileSystem();

exports.readFile = function readFile(fileName){


//read the content of fileName


. . .


// return the content


. . .

};

File

Rezwana Karim


Capabilities

Rezwana Karim

9


Privilege to access sensitive resources


Bookmark, cookies, file, password, network etc.


W
ays to acquire







var fileSystemPtr = accessToFileSystem();


exports.fileSystemPtr = fileSystemPtr;


File



var fileSystemPtr = require(“File”).fileSystemPtr;


Main

Capability leaks


Inadvertent
leaks of pointers to privileged
resources


Direct
references
to privileged resources


Functions returning references to
privileged
resources




10

Rezwana Karim


var fileSystemPtr = accessToFileSystem();


exports.fileSystemPtr = fileSystemPtr;


exports.getFileSystem = function(){



return fileSystemPtr;

}

File

Detecting capability leaks



11

File

Network

Main

Rezwana Karim

Capability flow analysis


Static analysis of JavaScript modules


Information flow


Taint: capability


Source : privileged resource access


Sink: exports interface


Call graph based


Context and Flow insensitive


Static Single Assignment (SSA) representation
gives a degree of flow
-
sensitivity



12

Rezwana Karim

Capability flow in
o
bject
h
ierarchy

13

a

x

y

p

z

Rezwana Karim

var

a = {


x : object,


y : {


p :
fileSystemPtr
,


z : object


}

}


Implementation of Beacon

14

Call graph
generator

SSA
analyzer

Inference
engine

SSA

format

Imported
module

summaries

Rules for JS
to Datalog
translation

Taint

inference
rules

Initial
facts

Points
-
to

rules

Heap
allocation

Rezwana Karim

Capability

analysis


report


2.8k lines of Java, Datalog


Tools Used : WALA, DES

Capability flow in object hierarchy

15

a

x

y

p

z

ptsTo(v
a
, h
a
)

ptsTo(v
y
, h
y
)

ptsTo(v
z
, h
z
)

ptsTo(v
p
, h
p
)

ptsTo(v
x
, h
x
)

heapPtsTo(h
y
, z, h
z
)

heapPtsTo(h
a
, y, h
y
)

heapPtsTo(h
y
, p, h
p
)

var

a ={


x : object,


y:{


p:
fileSystemPtr
,


z: object


}

}


isTainted(h
p
, file)

isTainted(h
y
, file)

isTainted(h
a
, file)

Rezwana Karim

store(v
y
, p, v
p
)

heapPtsTo(h
a
, x, h
x
)

[
Gatekeeper
, Guarnieri
et al.
, Usenix Security

09]

Evaluation goals


Evaluate Jetpack architecture, adherence
to two principles


Privilege separation


Principle of least authority (POLA)



Identify modules


Capability
l
eaks


V
iolate
p
rivilege
s
eparation


Overprivileged
; violate POLA



16

Rezwana Karim

Evaluation


Over 600 Jetpack modules


77 core modules


Modules from 359 Jetpack extensions


68k lines of JavaScript code



Performance


On average,
c
ouple of minutes, 200 MB


t
ab
-
browser.js

(~25 KB)


30mins and 243MB



17

Rezwana Karim

Capability leak


36 Leaks in over 600 modules


12 in 4 core modules


24 in extension modules


18

Core

Modules

Capability

Leak Mechanism

Essential

tabs/
utils


Active tab, browser
window and tab
container

Function return

yes

window
-
utils


Browser window

Function return

yes

xhr

Reference to the
XMLHttpRequest

object

Property of this
object

no

xpcom

Entire XPCOM
utility module

Exported property

no

Rezwana Karim

Capability leaks: extension module

19

Rezwana Karim


24 leaks in 359 extensions


Extension

Capability

Count

Bookmarks
Deiconizer

Sensitive

resource service module

1

Browser Sign In

Window, document

2

Customizable
Shortcut

Preference, DOM, window

3

Firefox Share

Preference,

window, database, observer

database, stream, network

10

Most Recent Tab

Preference, window

2

Open Web

Apps

Preference, window, database, observer

4

Recall Monkey

IOService
,
favIcon

2

None of the leaks are required for functionality

Accuracy: Capability leak


No

False
Positive


May miss some leaks


Dynamic features


Iterator, generator


Unsupported JS constructs


for..
each
, yield, case

statement over a
variable


Unmodeled

JS constructs


eval
, with



Latent bugs


20

Rezwana Karim

Violation of privilege separation

21

Rezwana Karim

26 modules
in 19
extensions


Accuracy: Capability usage


53 extensions directly use sensitive
resources


Beacon detects 46 out of 53


Missed 7 are in event
-
handling code


22

Rezwana Karim

Violation of POLA


Beacon generates 18 warnings, 7 false positive


23

Core module

Privilege

Severity

file

Directory service

Moderate

hidden
-
frame

Timer

None

tab
-
browser

Errors

None

content/content
-
proxy

Chrome

Critical

content/loader

File

Moderate

content/worker

Chrome

Critical

keyboard/
utils

Chrome

Critical

clipboard

Errors

None

widget

Chrome

Critical

windows

XPCOM,
apiUtils

Critical

Rezwana Karim

Violation

instances

are fixed
by

Mozilla

Related Work


Information flow analysis of extension


SABRE
[Dhawan
et al.
, ACSAC

09]


VEX
[Bhandhakavi
et al.
, Usenix Security

10]


Static analysis of JavaScript


Gatekeeper
[Guarnieri
et al.
, Usenix Security

09]


ENCAP
[Taly
et al.
, Oakland

11]


Study of Chrome extension architecture


Chrome extension analysis
[Yan
et al.
, NDSS

12]



24

Rezwana Karim

Summary


Beacon, a system for capability flow
analysis of JavaScript modules


Analyze Jetpack extension development
framework


36 capability leaks

in more than 600 modules


10 overprivileged

core modules


Results
acknowledged by Mozilla


Applicable to node.js, Harmony modules



25

Rezwana Karim

Thank you

26

Rezwana Karim


Questions

Rezwana Karim

27

Sensitive resources usage

Rezwana Karim

28

Capability Usage


Top 10 XPCOM interfaces


29

Rezwana Karim

Suggestion


Dynamic enforcement of Manifest


Prevent access of unrequested sensitive
resources


Deep freezing of exports object


Prevent leak through event
-
handlers



30

Rezwana Karim

Template

Entity

Type

Capability

fileSystemPtr

Object

File

getFileSystemPtr

Function

File

Rezwana Karim

31

Proof of concept example:
Customize
-
shortcut

const {Cc, Ci} = require("chrome");

let Preferences = {


branches: {},


.. .


getBranch: function (name) {


let branch = Cc["@mozilla.org/preferences
-
service;1"]



.getService(Ci.nsIPrefService).getBranch(name);





return this. branches [name] = branch;


}, ...

};

exports. Preferences = Preferences
;

32

Modular approach

Rezwana Karim

33


Break down extension into modules


JavaScript modules


Implement a certain functionality


Self
-
contained


Isolated; communicate via module interfaces


Limit vulnerability effect




Capability Usage


Top 10 core modules


34

Rezwana Karim

Datalog

relations: points
-
to analysis

35

Rezwana Karim

JavaScript statement processing

36

Rezwana Karim

Inference Rules

37

Rezwana Karim

Pre
-
processing(cont’d)


Desugar

JS construct


Destructuring

assignment, let,
const
, lambda function






Code simplification

38

Code

Desugared Code

var {Cc,Ci} =


require(“chrome”);

var Cc = require(“chrome”).Cc;

var Ci = require(“chrome”).Ci;

Code

Simplified Code

let branch = Cc["@mozilla.org/


preferences
-
service;1”]


.getService(Ci.nsIPrefService)


.getBranch(name);


let branch =


MozPrefService()


.getBranch(name);

Rezwana Karim

Capability flow in object hierarchy

39

a

x

y

p

z

ptsTo(v
a
, h
a
)

ptsTo(v
y
, h
y
)

ptsTo(v
z
, h
z
)

ptsTo(v
p
, h
p
)

ptsTo(v
x
, h
x
)

heapPtsTo(h
y
, z, h
z
)

heapPtsTo(h
a
, y, h
y
)

heapPtsTo(h
y
, p, h
p
)

var

a ={


x : object,


y:{


p:
fileSystemPtr
,


z: object


}

}


isTainted(h
p
, file)

isTainted(h
y
, file)

isTainted(h
a
, file)

Rezwana Karim

store(v
y
, p, v
p
)

heapPtsTo(h
a
, x, h
x
)


Capability flow analysis using
Datalog

Statement

Example Code

Generated Facts

OBJECT
LITERAL

a = { }

ptsTo
(
v
a
, h
a
)

STORE

v
1
.f = v
2

store(v
1
, f, v
2
)

40

Rezwana Karim

Basic Rules

heapPtsTo
(H1, F, H2)

:
-

store(V
1
, F, V
2
),

ptsTo
(V1, H1),


ptsTo
(V
2
, H
2
)

Taint Propagation

isTainted
(H1, P)

:
-

heapPtsTo
(H1, F,

H2 ),


isTainted
(H2 ,

P)

[
Gatekeeper
, Guarnieri
et al.
, Usenix Security

09]

Capability flow in object hierarchy

41

a

x

y

p

z

ptsTo(v
a
, h
a
)

ptsTo(v
y
, h
y
)

ptsTo(v
z
, h
z
)

ptsTo(v
p
, h
p
)

ptsTo(v
x
, h
x
)

heapPtsTo(h
y
, z, h
z
)

heapPtsTo(h
a
, y, h
y
)

heapPtsTo(h
y
, p, h
p
)

var

a ={


x : object,


y:{


p:
fileSystemPtr
,


z: object


}

}


isTainted(h
p
, file)

isTainted(h
y
, file)

isTainted(h
a
, file)

Rezwana Karim

store(v
y
, p, v
p
)

heapPtsTo(h
a
, x, h
x
)

JavaScript statement processing

Statement

Example Code

Generated Facts

OBJECT
CONSTRUCTION

v = new v
0
(v
1
, v
2
, ..., v
n
)

ptsTo(v, h
fresh
)

prototypeOf(h
fresh
, d) :
-

ptsTo(v0,
h
method
), heapPtsTo(h
method
,
prototype, d) for z


1...n,
generate actual(i, z, v
z
)

callRet(i, v)

FUNCTION CALL

v = v0(v
this
, v
1
, v
2
, ..., v
n
)

ptsTo(v, h
fresh
) for z


1...n, this,
generate actual(i, z, v
z
)

callRet(i, v)

42

Rezwana Karim