Intercepting Suspicious Chrome Extension Actions Michael Cypher - - PowerPoint PPT Presentation

intercepting suspicious chrome extension actions
SMART_READER_LITE
LIVE PREVIEW

Intercepting Suspicious Chrome Extension Actions Michael Cypher - - PowerPoint PPT Presentation

Dec 06, 2022 21 likes •567 views

Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing Imperial College London June 26, 2017 Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 1 / 31

slide-1
SLIDE 1

Intercepting Suspicious Chrome Extension Actions

Michael Cypher

Department of Computing Imperial College London

June 26, 2017

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 1 / 31

slide-2
SLIDE 2

Chrome Browser

User Usage

Most popular desktop browser (62%) and browser in general (52%) and is used to execute sensitive web applications

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 2 / 31

slide-3
SLIDE 3

Chrome Browser

Multi-process Architecture

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 3 / 31

slide-4
SLIDE 4

Chrome Extensions

The same-origin policy prevents attackers from executing arbitrary code on web-pages, right?

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

slide-5
SLIDE 5

Chrome Extensions

The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions!

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

slide-6
SLIDE 6

Chrome Extensions

The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions! Extensions can execute content scripts on pages (if granted permission by users)

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

slide-7
SLIDE 7

Chrome Extensions

The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions! Extensions can execute content scripts on pages (if granted permission by users) have access powerful Chrome extension APIs

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

slide-8
SLIDE 8

Chrome Extensions

The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions! Extensions can execute content scripts on pages (if granted permission by users) have access powerful Chrome extension APIs are assumed to be benign-but-buggy and not malicious!

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

slide-9
SLIDE 9

Extension System Architecture

Security Model

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 5 / 31

slide-10
SLIDE 10

Malicious Extensions

Permission model does not protect users from malicious extensions! Malicious extensions may provide useful functionality

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 6 / 31

slide-11
SLIDE 11

Malicious Extensions

Permission model does not protect users from malicious extensions! Malicious extensions may provide useful functionality Content scripts can carry out attacks using standard Web APIs

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 6 / 31

slide-12
SLIDE 12

Malicious Extensions

Threats

Several threats are widespread on Chrome Web Store

1 Facebook hijacking present in 4,809 extensions (2012 - 2015) Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

slide-13
SLIDE 13

Malicious Extensions

Threats

Several threats are widespread on Chrome Web Store

1 Facebook hijacking present in 4,809 extensions (2012 - 2015) 2 Ad Injection present in 3,496 extensions Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

slide-14
SLIDE 14

Malicious Extensions

Threats

Several threats are widespread on Chrome Web Store

1 Facebook hijacking present in 4,809 extensions (2012 - 2015) 2 Ad Injection present in 3,496 extensions 3 User Tracking Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

slide-15
SLIDE 15

Malicious Extensions

Threats

Several threats are widespread on Chrome Web Store

1 Facebook hijacking present in 4,809 extensions (2012 - 2015) 2 Ad Injection present in 3,496 extensions 3 User Tracking

Google automatically analyzes extensions for malice in sandboxes before publishing them but provides no guarantees

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

slide-16
SLIDE 16

Project Goals

1 Protect users from malicious extensions and provide security

guarantees

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 8 / 31

slide-17
SLIDE 17

Project Goals

1 Protect users from malicious extensions and provide security

guarantees

2 Break minimal benign web applications and extensions Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 8 / 31

slide-18
SLIDE 18

Project Goals

1 Protect users from malicious extensions and provide security

guarantees

2 Break minimal benign web applications and extensions 3 Not incur a significant performance overhead Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 8 / 31

slide-19
SLIDE 19

Intercepting Suspicious Chrome Extension Actions

Our approach... Analyze extension behaviour at run-time and ask users to allow or prevent suspicious actions!

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 9 / 31

slide-20
SLIDE 20

Intercepting Suspicious Chrome Extension Actions

Project Challenges

Project challenges What extension actions do we consider suspicious? Differentiating between extension actions and other script actions Improving user experience and suspicious action classification

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 10 / 31

slide-21
SLIDE 21

Suspicious Actions

Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click()

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

slide-22
SLIDE 22

Suspicious Actions

Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click() Node.appendChild() (45% of malware)

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

slide-23
SLIDE 23

Suspicious Actions

Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click() Node.appendChild() (45% of malware) XMLHttpRequest.send() (52% of malware)

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

slide-24
SLIDE 24

Suspicious Actions

Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click() Node.appendChild() (45% of malware) XMLHttpRequest.send() (52% of malware) Filter out benign events, or operations on elements not attached to DOM.

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

slide-25
SLIDE 25

Suspicious Actions

Configuring Suspicious Actions

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 12 / 31

slide-26
SLIDE 26

Intercepting Suspicious Chrome Extension Actions

Project Challenges

Project challenges What extension actions do we consider suspicious? Differentiating between extension actions and other script actions Improving user experience and suspicious action classification

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 13 / 31

slide-27
SLIDE 27

Detecting Extension Actions

Alternatives

Neither approach provides security guarantees Measuring the ordering and frequency of events Transforming content script JavaScript to taint methods

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 14 / 31

slide-28
SLIDE 28

Detecting Extension Actions

Using the Isolated World

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 15 / 31

slide-29
SLIDE 29

Detecting Extension Actions

Using the Isolated World

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 15 / 31

slide-30
SLIDE 30

Script Injection

Executing Scripts in the Main World

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 16 / 31

slide-31
SLIDE 31

Script Injection

Executing Scripts in the Main World

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 16 / 31

slide-32
SLIDE 32

Script Injection

Executing Scripts in the Main World

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 16 / 31

slide-33
SLIDE 33

Intercepting Suspicious Chrome Extension Actions

Project Challenges

Project challenges What extension actions do we consider suspicious? Differentiating between extension actions and other script actions Improving user experience and suspicious action classification

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 17 / 31

slide-34
SLIDE 34

Describing Suspicious Actions

Improving User Experience

Users need to be able to correctly classify suspicious actions Let web-pages describe elements themselves Highlight or scroll to element under question

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 18 / 31

slide-35
SLIDE 35

Sensitive Attributes

Improving User Experience

Let web-pages taint elements as sensitive Warn users of operations on sensitive elements Precise sensitive data flow tracking

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 19 / 31

slide-36
SLIDE 36

Remembering User Decisions

Improving User Experience

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 20 / 31

slide-37
SLIDE 37

Security Guarantees

Results

Guarantee we alert users if an extension executes a suspicious action!

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 21 / 31

slide-38
SLIDE 38

Security Guarantees

Results

Guarantee we alert users if an extension executes a suspicious action! But security relies on users correctly classifying malicious actions

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 21 / 31

slide-39
SLIDE 39

Security Guarantees

Results

Guarantee we alert users if an extension executes a suspicious action! But security relies on users correctly classifying malicious actions False negatives = attacks made possible

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 21 / 31

slide-40
SLIDE 40

Security Guarantees

Results

Guarantee we alert users if an extension executes a suspicious action! But security relies on users correctly classifying malicious actions False negatives = attacks made possible False positives = benign extensions may break

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 21 / 31

slide-41
SLIDE 41

Discovered Malicious Extension

Leaked sensitive data to third-party

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 22 / 31

slide-42
SLIDE 42

User Experience Survey

Results

Action Group Size Prevented (%) Bar Chart: Prevented (%) Total 839 64.1 Change Attr 120 72.5 Event 80 70.0 DOM 280 63.6 Request 80 62.5 Response 80 62.5 Create 100 61.0 Read Attr 99 56.6

40.0 60.0 80.0

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 23 / 31

slide-43
SLIDE 43

Suspicious Actions Triggered By Popular Benign Extensions

The quantity of suspicious actions executed during 15 minutes of extension use 5 10 15 5,000 10,000 15,000 Time (min) Suspicious Actions (Cumulative) Grammarly All possible suspicious actions Default suspicious actions

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 24 / 31

slide-44
SLIDE 44

Suspicious Actions Triggered By Popular Benign Extensions

The quantity of suspicious actions executed during 15 minutes of extension use 5 10 15 5,000 10,000 15,000 Time (min) Suspicious Actions (Cumulative) LastPass

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 24 / 31

slide-45
SLIDE 45

Suspicious Actions Triggered By Popular Benign Extensions

The quantity of suspicious actions executed during 15 minutes of extension use 5 10 15 500 1,000 Time (min) Suspicious Actions (Cumulative) Google Dictionary

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 24 / 31

slide-46
SLIDE 46

Suspicious Actions Triggered By Popular Benign Extensions

The quantity of suspicious actions executed during 15 minutes of extension use 5 10 15 5,000 10,000 15,000 20,000 Time (min) Suspicious Actions (Cumulative) StayFocusd

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 24 / 31

slide-47
SLIDE 47

User Experience Survey

Results

Change Attr Event DOM Request Response Create Read Attr 0 20 40 60 48 50 60 49 50 48 52 29 25 25 34 26 32 27 23 25 16 17 24 20 21 Percentage (%) Do users understand suspicious extension action pop-ups? Understand Kind of Understand Don’t Understand

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 25 / 31

slide-48
SLIDE 48

Performance Impact

Results

Modified browser sometimes has significant performance overhead DOM: 50%, 380% increase when creating elements, setting attributes

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 26 / 31

slide-49
SLIDE 49

Performance Impact

Results

Modified browser sometimes has significant performance overhead DOM: 50%, 380% increase when creating elements, setting attributes Events: 70% increase when dispatching click events

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 26 / 31

slide-50
SLIDE 50

Demonstration and Questions

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 27 / 31

slide-51
SLIDE 51

For Further Reading I

  • N. Jagpal, E. Dingle, J. P. Gravel, P. Mavrommatis, N. Provos, M. A.

Rajab and K. Thomas Trends and Lessons from Three Years Fighting Malicious Extensions Proceedings of the USENIX Security Symposium, 2015.

  • A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna and V.

Paxson Hulk: Eliciting malicious behavior in browser extensions Proceedings of the USENIX Security Symposium, 2014. Top 9 Browsers StatCounter 2017.

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 28 / 31

slide-52
SLIDE 52

Telemetry Benchmarking

DOM Operations

Name Original Browser Modified Browser Avg (ms) Avg (ms) ∆ Avg (%) modify-element- classname 4,489.4 ± 42.0 4,797.5 ± 100.4 +6.9 addRange 3,821.9 ± 13.8 3,852.6 ± 21.1 +0.8 modify-element-id 1,720.3 ± 11.6 1,764.1 ± 10.1 +2.5 modify-element-title 1,499.8 ± 11.1 1,512.1 ± 7.3 +0.8 select-multiple-add 141.3 ± 0.9 70.9 ± 0.5

  • 49.9

remove child with selection57.6 ± 0.7 140.8 ± 1.2 +144.6 select-single-add 26.0 ± 0.1 21.5 ± 0.1

  • 17.2

inner html with selection 24.5 ± 0.6 24.9 ± 0.6 +1.2 select-long-word 14.4 ± 0.3 14.4 ± 0.2

  • 0.1

long-sibling-list 13.9 12.0 ± 0.1

  • 13.7

select-single-remove 8.5 ± 0.1 6.1

  • 28.0

textarea-dom 3.4 3.0

  • 14.0

div-editable 0.3 0.2

  • 4.7

textarea-edit 0.2 0.2

  • 3.5

create-element 4,418.0 ± 184.5 6,518.4 ± 77.9 +47.5

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 29 / 31

slide-53
SLIDE 53

Telemetry Benchmarking

Events

Name Original Browser Modified Browser Avg (ms) Avg (ms) ∆ Avg (%) ...ShadowTrees 601.9 ± 2.9 579.5 ± 13.0

  • 3.7

...DeeplyNestedShadowTrees 235.3 ± 0.9 233.3 ± 0.9

  • 0.8

EventsDispatching 25.2 ± 0.1 20.3 ± 0.1

  • 19.3

SimpleClickDispatch 56.2 ± 0.7 95.3 ± 0.9 +69.5

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 30 / 31

slide-54
SLIDE 54

Telemetry Benchmarking

Network Requests

Name Original Browser Modified Browser Avg (ms) Avg (ms) ∆ Avg (%) send 1,173.8 ± 57.1 1,208.5 ± 59.2 +3.0 read-response 1,208.1 ± 56.0 1,245.5 ± 56.1 +3.1

Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 31 / 31