Adam Barth, Adrienne Porter Felt, Prateek Saxena
University of California, Berkeley
{abarth, afelt, prateeks}@eecs.berkeley.edu
Aaron Boodman
Google, Inc.
aa@google.com
Presented by:
Edmund Warner
March 29, 2011
University of Central Florida

Figures and tables are taken directly from the paper.
mozilla.org for specific information on Firefox used for this presentation

Nearly one third of Firefox users run extensions




That's about 90 million users running extensions
Skype Toolbar
Twitterfox
Weatherbug
Extensions change the browsing experience



Makes changes to the user interface
Interacts arbitrarily with many websites
This creates a large attack surface!

When extensions are loaded in Firefox, many are done so with the browser's full priveleges

If an attacker were to compromise the extension, he could usurp control of it's broad priveleges and use them to install malware on the user's machine
Most extension developers are not security experts

25 extensions were chosen from the most popular of the 13 categories in Firefox:
Adblock Plus 1.0.2, Answers 2.2.48, AutoPager 0.5.0.1, Auto Shutdown (InBasic) 3.1.1B, Babel Fish 1.84,
CoolPreviews 2.7.4, Delicious Bookmarks 4.3, docked JSConsole0.1.1, DownloadHelper 4.3, Download
Statusbar 2.1.018, File and Folder Shortcuts 1.3
, Firefox Showcase 0.3.2009040901, Fission 1.3, Glue 4.2.18,
GoogleEnhancer 1.70, Image Tweak 0.18.1, Lazarus: Form Recovery 1.0.5,
Mouseless Browsing 0.5.2.1, Multiple Tab Handler 0.9.5, Quick Locale Switcher 1.6.9, Shareaholic 1.7, Status-bar
Scientific Calculator 4.5, TwitterFox 1.7.7.1, WeatherBug2.0.0.4, and Zemanta 0.5.4.
Only 3 of these require the brrowser's full priveleges
The rest are over-priveleged

The paper gives 4 methods of exploiting Firefox
 extensions:

Cross-Site Scripting
Using eval or document.write without sanitizing the input can cause a script to be able to be injected into the extension



Replacing Native APIs
Attacker can trick the extension and replace the DOM APIs with its own
Behaves just like the original, but can trick it into performing a misdeed


JavaScript Capability Leaks
If it leaks an object to a malicious web page, the attacker can gain access to other objects


Mixed Content
Can hijack and replace HTTP scripts in orrder to install malware

First, give developers a template to follow

Lessen the attack space to aim for
Second, use the new build to limit the priveleges given to these extensions

If the extension does get compromised, the attack has no more priveleges than the extension used before

Three parts:
Content Script – interacts closely with potentially malicious input, but can only send messages to the extension core
Extension Core – contains most web priveleges, but on interacts with web content through the Scripts. Also, it doesn't have host access
Native Binary – contains host priveleges, but only interacts through the extension core

The table below represents the 25 extensions surveyed. To explain the zones:

Critical: Can run arbitrary code on the user’s system (e.g., arbitrary file access)

High: Can access site-specific confidential information (e.g., cookies and password) or the Document Object Model (DOM) of all web pages

Medium: Can access private user data (e.g., recent history) or the DOM of specific web pages

Low: Can annoy the user

None: No security privileges (e.g., a string) or privileges limited to the extension itself

Only 3 extensions showed critical-level behavior, which are all download managers. None of these, however, require arbitrary file access.
The above demonstrates just how much privelege can be abused.

In order to combat this potential abuse, limitations are built into the extension manifest



For instance, a Gmail checker extension needs access to google.com subdomains and the tabs API
Instead of allowing it to make the requests at run-time with full priveleges, build it into the manifest
“permissions”:
“tabs”
“http:// * .google.com/”
“https:// * .google.com/”
Now it can only access what we allow it to access.

The system also uses three components to isolate its parts from web content, and from each other

We run the extension core in a unique origin designated by a public key

We run the extensions core and native binaries in their own processes

Content scripts run in a separate content heap than untrusted web content

We assign an “origin” via public key to the extension's URL. For example:
 chrome-extension://askhjsbasydblsdlfhfb/
This reduces the attack surface and simplifies extension signing
Also, it makes updating extensions easier

Same priveleges, same key – simple replacement

However, the process starts from scratch if the internal components are asking for more priveleges

Each component runs in a different process

Extension Core and Native Binaries are in different
 processes
Content Scripts run in the same process associated with the web page
Protection is two-fold


Protects the core from browser errors because
JavaScript objects cannot leak between processes
Protects against low-level exploits like buffer overflows

Each content script runs the DOM with its “own” JavaScript objects
Therefore, content scripts and web pages never exchange pointers
Now, if a DOM method is called, both objects will be updated, but if a website called a non-standard method, it does not carry.

Separating extensions could add overhead when you need to access multiple components
Sending a signal from content script to the extension core and back observed a round-trip latency of 0.8 ms on average
With the isolated worlds mechanism, they observed a round-trip latency of 309 ms as opposed to 239 ms without

Firefox has 5,594 extensions


25 only samples 0.45% of the population
Popular doesn't always mean best developed
No definitive talk on how secure their solution is
• Might be a misnomer because the solution presented mainly just reduces the consequences for exploits
• An attacker can still build the priveleges into his own extension or compromise and “update” an existing one
– Add under “permissions”:
“http://www.attacker.com/”
“downloads”

Google Chrome Add-on for Firefox: Chromifox
Google Chrome Browser
Extension design now has a template to follow

Give a “format” to the Public Key if the extension updates require more priveleges.
Test it further.

Compare security between formatted and unformatted extensions