Verified Security for Browser Extensions Brown
advertisement
Verified Security for
Browser Extensions
Arjun Guha, Matthew Fredrikson, Ben Livshits, and Nikhil Swamy
Brown
University
University of Wisconsin
Madison
Microsoft Research
1
2
Curated
Extension
Gallery
1. 1/3rd of Firefox users run
extensions (~34 million users)
2. Popular Chrome extensions
have thousands of users
3
EXTENSION SECURITY
4
mailto:joe@cs.brown.edu
Change links to evil.com?
https://mail.google.com/mail/?view=cm&tf=1&to=joe@cs.
brown.edu&cc=&su=&body=&fs=1
5
evil.com
Google
Dictionary
Service
6
Access Control in Chrome
1. Sensitive APIs
"permissions": [
"tabs",
"http://www.twitter.com/*",
"http://api.bit.ly/",
]
2. Extension runs on
these URLs
Barth et al. Protecting Browsers from
Extension Vulnerabilities. NDSS 2010.
7
Policy analysis:
Accessible URLs
Access to
all data on
all websites
Access to
all data on
one website
2—86 websites
1,137 extension policies
8
30% (of 1,137) have access to your data on all websites
9
Policy analysis:
Access to history
why?
Full
History
Access
1,137 extension policies
10
Rewrite mailto: links on all sites
"permissions": [
"http://???"
"http://*/*"
]
desired, least-privilege security policy is inexpressible
Sends selected word to Google from any website
"permissions": [
"http://???"
"http://*/*"
]
11
Full
History
Access to
Access
all websites
Access to
all data on
Access
to
all websites
all websites
12
IBEX: Rethinking Browser
Extension Security
1. Cross-platform extension model
2. Expressive policies with formal semantics
3. Secure-by-construction extensions
4. Empirical evaluation: 17 varied
extensions proved secure
13
Extension
in
Type-safe
highlevelFine
language
14
Extension policy
Developers
• Write extension and
policy in Fine
• Use tools to ensure
extension conforms
to policy
Gallery
Extension in
Fine
ML/F# dialect with a
type system for
program verification
Policy Visualizer
• Uses tools to ensure
extension conforms to policy
• Uses visualizer to help
understand policy
Users
• Trust curated extension gallery
• Install approved extensions
Fine
Verifier &
Compiler
Secure
Browser API
C3
15
Extension policy
EXAMPLE:
ONLY READ TEXT IN <HEAD>
Extension in
Fine
Fine
Verifier &
Compiler
Secure
Browser API
C3
16
DOM API
type elt
val getInnerText :
elt
-> string
val getTagName :
elt
-> string
Native DOM elements,
abstract to Fine
Implemented in
Browser
17
Secure DOM API
type elt
val getInnerText :
{ e:elt | CanRead e }
-> string
val getTagName :
e:elt
-> { s:string | EltTagName e s }
ONLY READ TEXT IN <HEAD>
Precondition;
DOM permission
Postcondition;
DOM predicate
18
Policy
Secure DOM API
type elt
val getInnerText :
{ e:elt | CanRead e }
-> string
val getTagName :
e:elt
-> { s:string | EltTagName e s }
(e:elt) . EltTagName e "head" CanRead e
19
Code
Policy
Secure DOM API
type elt
val getInnerText :
{ e:elt | CanRead e }
-> string
val getTagName :
e:elt
-> { s:string | EltTagName e s }
Fine checks pre- and post-conditions statically
(e:elt) . EltTagName e "head" CanRead e
1. No manual code audit
let read e =
(only policy audit)
if getTagName e = "head" then 2.
NoEltTagName
security exceptions
(robust)
e "head"
getInnerText e
and no runtime overhead (fast)
else
"not <head>"
20
Library of Predicates and Permissions
Predicates
Permissions
DocDomain doc string
CanReadSelection doc
EltDoc elt doc
CanAppend elt
EltTagName elt string
CanEdit elt
EltTextValue elt string
CanReadValue elt
EltAttr elt string string
CanWriteValue elt
EltParent elt elt
CanReadAttr elt string
UrlScheme url string
CanWriteAttr elt string string
UrlHost url string
CanRequest string
UrlPath url string
DOM
Network requests
UrlQuery url list<string * string>
Event handlers,
selected text, etc.
various other predicates and permissions
21
WHAT DOES “SECURE” MEAN?
1. Formal Model
2. Policy Visualization
22
FORMAL MODEL
1. Formal Model of core browser + reference monitor
• Key element: interaction of extension with JavaScript on page
2. Theorem: well-typed programs do not signal reference monitor errors
• Reference monitor not needed
• Relies on type soundness of Fine
3. Assumption: tag names and attribute names are public metadata
4. Analysis of security property
• Strength: Robust safety in the presence of JavaScript side effects
• Weakness: admits collusion between malicious JavaScript on a page
and extension
23
EXAMPLE: FACEBOOK EXTENSION
^
24
Question: What is the security policy?
Bookmarks my friends’ Websites
25
Can Read Names
Can Read Websites
(and ability to bookmark—elided)
Principle
of
Least
Authority
26
Policy: Can read <a> tags
Can read <a> tags can read links to likes, dislikes, groups, posts,
friends, …
27
Policy: Can read <td class="data"> tags
28
Policy: can read <td class="data"> tags, if adjacent to
<th class="label">Website:</th>
(data:elt), (label:elt) .
EltSibling data label
&& EltAttr label "class" "label"
&& EltAttr data "class" "data"
&& EltTextValue label "Website:"
CanRead data
29
(e:elt) .
CanReadAttr e "class"
(label:elt),
(labelText:elt) .
EltParent labelText label
&& EltAttr label "class" "label"
CanReadValue labelText
POLICY VISUALIZATION
(data:elt),(label:elt),
(labelText:elt),(website:elt),
Interpret policies as selectors (e.g.,
XPath, jQuery, or CSS)
(parent:elt) .
EltParent data parent
&& EltParent label parent
&& EltParent website data
Can we help extension
&& EltParent labelText label
reviewers read this?
&& EltAttr label "class" "label"
&& EltTextValue labelText
"Website:"
CanReadAttr website "href"
30
31
Curator still needs to
read the policy
32
EMPIRICAL EVALUATION
33
Extension Name
Limited Extension Behavior
Gmail checker
Rewrites “mailto:” links to open Gmail
compose page
Dictionary lookup
Queries online dictionary with selection;
displays definition in a popup
PrintNewYorker
Rewrites internal links to go directly to
print view
Bookmarking
Sends selection to delicious.com
Google Reader client
Sends RSS feed links to Google Reader
Precise,
fine-grained policies
Facebook miner
Sends friends’ Web addresses to
delicious.com
JavaScript toolbox
Edits selected text
Password manager
Stores and retrieves passwords on each
page
Magnify under mouse
Modifies the CSS on the page
Short URL expander
Sends URLs to longurlplease.com
Typography
Modifies <input> elements
34
Name
Fine LOC
JS LOC
PrintNewYorker
6.2
45
Dictionary lookup
6.6
70
10.7
142
Password manager
5.7
52
Magnifier
6.0
23
Bookmarking
5.8
19
6,202
Gmail checker
6.5
43
7,647
Google Reader client
6.5
47
1,055
JavaScript toolbox
6.3
19
1,878
Short URL expander
5.2
22
494
Typography
6.2
44
18,458
Twitter Miner
6.4
36
Bing Miner
6.8
35
Netflix Miner
7.7
110
Glue Miner
9.5
101
Facebook + Delicious
Experimental Results
Verification
Time (sec)
DOM + Network
authorization
authorization
DOM + history +
storage + dataflow (next
presentation)
35
Extension policy
Extension in
Fine
Developers
• Write extension and
policy in Fine
• Use tools to ensure
extension conforms
to policy
Gallery
Policy Visualizer
• Uses tools to ensure
extension conforms to policy
• Uses visualizer to help
understand policy
Users
• Trust curated extension gallery
• Install approved extensions
Fine
Verifier &
Compiler
Secure
Browser API
C3
Available online: http://research.microsoft.com/fstar
36
Extra slides
37
Policy: (e:elt).EltAttr e "id" "phone" CanRead e
<html>
...
<div id="phone">+1 (401) 484-8019</div>
...
<input type="password" value="redbull64" />
...
</html>
let e = getElementById "phone"
let phoneNumber = getTextValue e
JavaScript on the page
Verified Fine code
var phone =
document.getElementById("phone");
var pass =
document.getElementsByTagName("input")[0];
phone.innerText = pass.value
let password = getTextValue e
Verified Fine code
1. Monotonic policies; no dynamic revocation
2. Authorization policies, not information flow
38
Policy
+
Extension code
FINE
Type-checker &
Compiler
DCIL
Verifier
DCIL
Binary
C3
+ Z3
JavaScript
extension
39
Curator still needs to
read the policy
40
Can we secure existing extensions?
41
Chrome Extension Model
Web Page
DOM
Interactions
Verified
Content
script
Rewrite in
Fine
Message Passing
Sandbox
Extension
core
(JavaScript)
HTTP
Web Server
42
