extension breakdown
play

Extension Breakdown: Security Analysis of Browsers Extension - PowerPoint PPT Presentation

Dec 06, 2023 •323 likes •722 views

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti Extensions Browser extensions are the most popular technique currently available to extend the

  1. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti

  2. Extensions Browser extensions are the most popular technique currently available to extend the functionalities of modern web browsers. Extensions exist for most browser families , including major web browsers such as Firefox, Chrome, Safari, Opera and Edge. They can be easily installed by users from a central repository .

  3. Extensions An extension is a bundle of resources , including code (such as HTML or JS), images, style sheets... Third-party websites should never have access to them, as some contain private information, vulnerabilities, keys … Browsers need to somehow control the access to extensions files. This task is tricky and error prone .

  4. Resources Control Policies Access Control Settings (Chromium+Firefox) Extensions themselves specify which resources they need to be kept private and which can be made publicly available. By default all resources are considered private. URI Randomization (Safari) There is no distinction between private or public resources, but instead the base URI of the extension is randomly re-generated in each session.

  5. Access Control Settings Browsers currently implement ACS by performing two consecutive checks to verify: (i) if a certain extension is installed (ii) if the requested resource is publicly available This is prone to a timing side-channel attack that an adversary can use to identify the actual reason behind a request denial: ● The extension is not present ● Its resources are kept private

  6. Access Control Settings X-extension://[ fakeExtID ]/[fakePath]

  7. Access Control Settings X-extension://[ realExtID ]/[fakePath]

  8. Access Control Settings X-extension://[ realExtID ]/[fakePath]

  9. Access Control Settings We compared our approach to previous techniques capable of enumerating extensions by subverting access control settings. These methods are based on checking the existence of externally accessible resources in extensions. Chrome Firefox Total # Extensions Tested 10,620 10,620 21,240 % Previous Approaches 12.73% 8,17% 10,45% % Our Approach 100.00% 100.00% 100.00%

  10. URI Randomization Extensions are often used to inject additional content, controls, or simply alert panels into a website. This newly generated content can unintentionally leak the random extension URI , thus bypassing the security control measures and opening access to all the extension resources to any other code running in the same page. It is left to the extension developers to make sure this does not happen.

  11. URI Randomization

  12. URI Randomization

  13. URI Randomization

  14. URI Randomization We propose a static analysis of all the JavaScript components of an extension.

  15. URI Randomization We propose a static analysis of all the JavaScript components of an extension. (i) Identify the source locations where the code accesses the random extension URI (looking for calls to baseURI)

  16. URI Randomization We propose a static analysis of all the JavaScript components of an extension. (i) Identify the source locations where the code accesses the random extension URI (looking for calls to baseURI) (ii) Analyze all the components that can use the retrieved value following the information flow

  17. URI Randomization We propose a static analysis of all the JavaScript components of an extension. (i) Identify the source locations where the code accesses the random extension URI (looking for calls to baseURI) (ii) Analyze all the components that can use the retrieved value following the information flow (iii) For every identified components, locate the sinks (i.e., the location where new content is injected in the page )

  18. URI Randomization

  19. URI Randomization

  20. URI Randomization

  21. URI Randomization Category # Ext. % Leak Shopping 95 57.89% Email 13 53.85% Security 84 52.38% News 20 45.00% Photos 25 44.00% Bookmarking 61 42.62% Productivity 147 40.82% RSStools 5 40.00% Entertainment 37 37.84% Translation 8 37.50% Social 80 30.00% Developer 57 29.82% Other 42 26.19% Search 42 24.43% urlshorteners 5 0.00% Total 721 40.50%

  22. URI Randomization We performed an exhaustive manual code review of security extensions to confirm the leakage. Popular protection extensions such as Adblock, ● Ghostery, Web Of Trust, and Adguard Password managers , such as LastPass, Dashline, Keeper, ● and TeedyID ● Combinations of the two, such as Blur from Abine

  23. Impact There are several possible consequences of abusing the information provided by our two techniques: Fingerprinting and Analytics : ● Stateless tracking ➔ Browser identification (checking built-in extensions) ➔ Determine users’ demographics ➔

  24. Impact There are several possible consequences of abusing the information provided by our two techniques: Fingerprinting and Analytics : ● Stateless tracking ➔ Browser identification (checking built-in extensions) ➔ Determine users’ demographics ➔ Malicious Applications ● Information gathering phase ➔ Social-driven attacks ➔ Exploitation of potential vulnerabilities ➔

  25. Impact Impact Device Fingerprinting Viability Study Method Entropy Extensions 0.869 List of Plugins 0.718 List of Fonts 0.548 User Agent 0.550 Canvas 0.475 Content Language 0.344 Screen Resolution 0.263

  26. Vulnerability Disclosure Chromium Family Developers were quite surprised, because they believed that the time difference in the checking phase were not significant enough to allow this type of attack. Developers are still working to solve this problem. In addition, as the new Firefox WebExtensions and Microsoft Edge (both currently in their early stages) use the same extension control mechanisms, we also notified their developers .

  27. Vulnerability Disclosure Firefox Family Firefox non-WebExtensions problem was acknowledged and developers are currently discussing how to proceed. Regarding WebExtensions , the Firefox developers recently changed the way extensions are accessed to solve this timing side-channel and other related attacks. In particular, they changed the initial scheme from moz-extension://[extID]/[path] to moz-extension://[random-UUID]/[path]

  28. Vulnerability Disclosure Firefox Family Firefox non-WebExtensions problem was acknowledged and developers are currently discussing how to proceed. Regarding WebExtensions , the Firefox developers recently changed the way extensions are accessed to solve this timing side-channel and other related attacks. In particular, they changed the initial scheme from moz-extension://[extID]/[path] to moz-extension://[random-UUID]/[path] This change introduced a new dangerous problem: the random-UUID token can now be used to precisely fingerprint users as once it is generated it never changes (also reported).

  29. Vulnerability Disclosure Safari The method that Safari’s extension control employs to assure the proper accessibility of resources is, in principle, correct . We started reporting the problem to the developers of security extensions we already manually confirmed vulnerable, to help them solve their URI leakage problem.

  30. Security Proposal 1 All browsers should follow an extension scheme that includes a random value in the URI: X-extension://[randomVal]/[path] . This random value should be modified across and during the same session and should be independent for each extension installed. In this way, the random value cannot be used to fingerprint users.

  31. Security Proposal 2 Browsers should also implement an access control (such as web accessible resource) to avoid any undesirable access to all extensions resources even when the random value is unintentionally leaked by the extension.

  32. Security Proposal 3 Extensions should be analyzed for possible leakages before making them public to the users. For example, adopting a lightweight static analysis solution (similar to the one we discuss) to analyze the extensions in their market and flag those that leak the random token. Moreover, developer manuals should specifically discuss the problems that can cause the leakage of any random value generated.

  33. We already knew about the communication breakdown …

  34. We already knew about the communication breakdown …

  35. We already knew about the communication breakdown …

  36. We already knew about the communication breakdown …

  37. but browsers didn’t told us about …

  38. their new single … Extension Breakdown iskander.sanchez@deusto.es iskander-sanchez-rola.github.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 8: Project Management Software Engineering, SS 06 History Extension of PERT with

Lecture 8: Project Management Software Engineering, SS 06 History Extension of PERT with

Chair of Softw are Engineering Software Engineering Spring Semester 2008 Lecture 8: Project Management Software Engineering, SS 06 History Extension of PERT with Extension of PERT with 7 a Work Breakdown 5 9 a Work Breakdown 1

875 views • 17 slides
4. Number of transactions 5. Breakdown by age group 6. Breakdown by investment frequency 7.

4. Number of transactions 5. Breakdown by age group 6. Breakdown by investment frequency 7.

1. Introduction 2. Research questions 3. Sample 4. Number of transactions 5. Breakdown by age group 6. Breakdown by investment frequency 7. Conclusion Source: Thomson Reuters Eikon Can we demonstrate quantitatively , on the

196 views • 18 slides
Unipolar Plasma Model of RF Breakdown Z. Insepov, J. Norem 1) Purdue University, 2) Nanosynergy

Unipolar Plasma Model of RF Breakdown Z. Insepov, J. Norem 1) Purdue University, 2) Nanosynergy

Unipolar Plasma Model of RF Breakdown Z. Insepov, J. Norem 1) Purdue University, 2) Nanosynergy Inc Feb 12, 2014 "RF breakdown physics" sprint Outline Motivation - RF breakdown in cavities Calculation of electric field for real

763 views • 49 slides
Beef Cutting Demo Bridget Wasser Carcass Breakdown - Subprimals Carcass Breakdown Finished

Beef Cutting Demo Bridget Wasser Carcass Breakdown - Subprimals Carcass Breakdown Finished

Bridget Wasser, Na.onal Ca3lemen's Beef Associa.on 11/28/17 Carcass Breakdown - Primals Beef Cutting Demo Bridget Wasser Carcass Breakdown - Subprimals Carcass Breakdown Finished Cuts CHUCK CHUCK Shoulder Clod Flat Iron Steak Chuck

728 views • 3 slides
AGENDA 1. MAP Selection Stages 2. The Application Breakdown: Atticus 3. The Pitch

AGENDA 1. MAP Selection Stages 2. The Application Breakdown: Atticus 3. The Pitch

AGENDA 1. MAP Selection Stages 2. The Application Breakdown: Atticus 3. The Pitch Breakdown: Smileyscope (MAP17) Breakdown: Acusensus (MAP18) Market Product Execution 4. Q & A MAP19 Selection Process Market Product Execution

636 views • 24 slides
EQUIPMENT BREAKDOWN INSURANCE PROGRAM General Management WHAT DOES EQUIPMENT BREAKDOWN DO?

EQUIPMENT BREAKDOWN INSURANCE PROGRAM General Management WHAT DOES EQUIPMENT BREAKDOWN DO?

EQUIPMENT BREAKDOWN INSURANCE PROGRAM General Management WHAT DOES EQUIPMENT BREAKDOWN DO? Through the use of an insurance policy, it pays for the repair of your schools electrical and electronic equipment. The policy allows the

298 views • 15 slides
Breakdown Criteria for The Main Results Nonvacuum Spacetimes Nonvacuum Einstein Equations The

Breakdown Criteria for The Main Results Nonvacuum Spacetimes Nonvacuum Einstein Equations The

Breakdown Criteria Arick Shao Introduction The Breakdown Problem Some Classical Results The Einstein Vacuum Equations Breakdown Criteria for The Main Results Nonvacuum Spacetimes Nonvacuum Einstein Equations The Main Theorem The Cauchy

814 views • 38 slides
Overview of Cooperative Extension Laura Perry Johnson Associate Dean for Extension University

Overview of Cooperative Extension Laura Perry Johnson Associate Dean for Extension University

Overview of Cooperative Extension Laura Perry Johnson Associate Dean for Extension University of Georgia Extens nsion & n & Outreach I n 1914 Legislation was passed to create the Cooperative Extension Service Extension: To

155 views • 15 slides
Resource Breakdown Structure Introduction 1 Construction involves cross functional

Resource Breakdown Structure Introduction 1 Construction involves cross functional

Resource Breakdown Structure Introduction 1 Construction involves cross functional teams 2 Different resources perform different tasks & activities 3 4 5 Work breakdown structure Project objective

325 views • 10 slides
Progressive Breakdown in HighVoltage GaN MISHEMTs Shireen Warnock and Jess A. del Alamo

Progressive Breakdown in HighVoltage GaN MISHEMTs Shireen Warnock and Jess A. del Alamo

Progressive Breakdown in HighVoltage GaN MISHEMTs Shireen Warnock and Jess A. del Alamo Microsystems Technology Laboratories (MTL) Massachusetts Institute of Technology (MIT) Purpose Understand timedependent dielectric breakdown

562 views • 39 slides
Improving User Experience for translators Translate Extension Translate Extension Translate

Improving User Experience for translators Translate Extension Translate Extension Translate

Improving User Experience for translators Translate Extension Translate Extension Translate Extension Translate Extension UI 2006 -2012 Translate Extension UI 2012 - today Editor concept Page view Other improvements Other improvements

600 views • 20 slides
RF Breakdown and MAP Introduction Current Understanding Field Emission Daniel Bowring Physics

RF Breakdown and MAP Introduction Current Understanding Field Emission Daniel Bowring Physics

RF Breakdown and MAP Daniel Bowring RF Breakdown and MAP Introduction Current Understanding Field Emission Daniel Bowring Physics MAP-Specific Issues Lawrence Berkeley National Laboratory, Muon Accelerator Program Conclusions

863 views • 55 slides
Introduction Aadesh RAMDONEE Extension/Senior Extension Officer Food and Agricultural Research

Introduction Aadesh RAMDONEE Extension/Senior Extension Officer Food and Agricultural Research

Introduction Aadesh RAMDONEE Extension/Senior Extension Officer Food and Agricultural Research and Extension Institute(FAREI) 36th IVTC International Vegetable Training Course worldveg.org Content of presentation Overview of Mauritius

888 views • 35 slides
Building Capacity for Urban Forestry Knowledge Using the eXtension Network IUFRO Extension

Building Capacity for Urban Forestry Knowledge Using the eXtension Network IUFRO Extension

Building Capacity for Urban Forestry Knowledge Using the eXtension Network IUFRO Extension Knowledge Exchange Conference September 26, 2016, Kenora, Canada J.H Campbell and W. Hubbard Southern Regional Extension Forestry Athens, Georgia,

500 views • 17 slides
5/12/2012 Kansas Basketball Triple extension the coordinated extension of the Strength &

5/12/2012 Kansas Basketball Triple extension the coordinated extension of the Strength &

5/12/2012 Kansas Basketball Triple extension the coordinated extension of the Strength & Conditioning hip, knee, and ankle joints during running and jumping is an integral part of our training program because it is in such high demand

257 views • 6 slides
ICCP extension for the MSP application draft-hao-pwe3-iccp-extension-for-msp-00 Presenter:

ICCP extension for the MSP application draft-hao-pwe3-iccp-extension-for-msp-00 Presenter:

ICCP extension for the MSP application draft-hao-pwe3-iccp-extension-for-msp-00 Presenter: Yuxia Ma Author: Hongjie Hao Background Sometimes the SDH and Packet Transport equipments are co-existed in the mobile backhaul network, to

320 views • 9 slides
5/30/2014 Yielding Positions Prone positioning improves VQ To Prone or Not to mismatch

5/30/2014 Yielding Positions Prone positioning improves VQ To Prone or Not to mismatch

5/30/2014 Yielding Positions Prone positioning improves VQ To Prone or Not to mismatch Prone? Prone positioning improves arterial oxygenation John H. Turnbull, MD Assistant Professor of Anesthesia and Perioperative Medicine

89 views • 6 slides
for Large-Scale Image Recognition Karen Simonyan , Andrew Zisserman Visual Geometry Group,

for Large-Scale Image Recognition Karen Simonyan , Andrew Zisserman Visual Geometry Group,

Very Deep ConvNets for Large-Scale Image Recognition Karen Simonyan , Andrew Zisserman Visual Geometry Group, University of Oxford ILSVRC Workshop 12 September 2014 2 Summary of VGG Submission Localisation task 1 st place, 25.3% error

592 views • 18 slides
Prone to Fail The Pre-Crisis Financial System Darrell Duffie GSB Stanford The Financial Crisis

Prone to Fail The Pre-Crisis Financial System Darrell Duffie GSB Stanford The Financial Crisis

Prone to Fail The Pre-Crisis Financial System Darrell Duffie GSB Stanford The Financial Crisis at 10 NBER Summer Institute Cambridge, July 2018 Drawing from joint work with Antje Berndt and Yichao Zhu Average leverage of systemic banks and

456 views • 16 slides
Seek Novelty Personality Environment Predictable Unpredictable Seek Stability Seek Novelty

Seek Novelty Personality Environment Predictable Unpredictable Seek Stability Seek Novelty

Seek Novelty Personality Environment Predictable Unpredictable Seek Stability Seek Novelty Predictable Unpredictable Seek Stability ? X ? ? 1. Establish 1RM (performance) 2. Plan the training block/phase 3. Rinse and repeat How to

726 views • 60 slides
Best Practices for the Consolidated Plan and Action Plan May 2019 Housekeeping Logistics:

Best Practices for the Consolidated Plan and Action Plan May 2019 Housekeeping Logistics:

Best Practices for the Consolidated Plan and Action Plan May 2019 Housekeeping Logistics: 90-minute webinar All lines are muted Submit technical issues through Question function Asking questions: There will be periodic

914 views • 54 slides
EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu,

EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu,

EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu, and Abdallah Khreishah Center for Networked Computing http://www.cnc.temple.edu Agenda 2 Introduction Motivation Setting Proposed

555 views • 21 slides
IOPin: Runtime Profiling of Parallel I/ O in HPC S ystems Seong Jo (Shawn) Kim * , S on + ,

IOPin: Runtime Profiling of Parallel I/ O in HPC S ystems Seong Jo (Shawn) Kim * , S on + ,

IOPin: Runtime Profiling of Parallel I/ O in HPC S ystems Seong Jo (Shawn) Kim * , S on + , Wei-keng Liao + , eung Woo S Mahmut Kandemir*, Raj eev Thakur # , and Alok Choudhary + * : Pennsylvania S tate University + : Northwestern University # :

451 views • 16 slides
Det Detect ecting ng the he 1% 1%: Gr Grow owing ng the he Sci Science ence of of Vul

Det Detect ecting ng the he 1% 1%: Gr Grow owing ng the he Sci Science ence of of Vul

Det Detect ecting ng the he 1% 1%: Gr Grow owing ng the he Sci Science ence of of Vul Vulner nerabi ability y Di Discover scovery Laurie Williams laurie_williams@ncsu.edu Real people Real Projects Real Impact 1 2 3

810 views • 68 slides

More recommend