Security Signature Inference for JavaScript-based Browser Addons - - PowerPoint PPT Presentation

security signature inference for javascript based browser
SMART_READER_LITE
LIVE PREVIEW

Security Signature Inference for JavaScript-based Browser Addons - - PowerPoint PPT Presentation

Nov 18, 2022 328 likes •900 views

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf University of California Santa Barbara CGO 2014 1 JavaScript-based Browser Addons 2 Addons: JavaScript with High Privileges 3

slide-1
SLIDE 1

Security Signature Inference for JavaScript-based Browser Addons

Vineeth Kashyap, Ben Hardekopf University of California Santa Barbara

  • CGO 2014

1

slide-2
SLIDE 2

JavaScript-based Browser Addons

2

slide-3
SLIDE 3

Addons: JavaScript with High Privileges

3

slide-4
SLIDE 4

Urging Security Concern

  • Proof of concept exploits
  • FFSniff, a configurable password stealer
  • Unintentional vulnerabilities
  • Wikipedia Toolbar allowed arbitrary privileged code execution
  • Intentionally malicious
  • Key loggers

4

slide-5
SLIDE 5

Curated Repositories

5

slide-6
SLIDE 6

6

slide-7
SLIDE 7

7

slide-8
SLIDE 8

8

slide-9
SLIDE 9

9

slide-10
SLIDE 10

10

slide-11
SLIDE 11

Manual JavaScript Addon Vetting is Difficult

  • Ad-hoc
  • Tedious
  • Error-prone

11

slide-12
SLIDE 12

Our Goal: Help Automate the Vetting Process

  • Automatically infer security signatures
  • Summarize interesting information flows and critical API usages

12

slide-13
SLIDE 13

Our Goal: Help Automate the Vetting Process

  • Automatically infer security signatures
  • Summarize interesting information flows and critical API usages

12

slide-14
SLIDE 14

Our Goal: Help Automate the Vetting Process

  • Automatically infer security signatures
  • Summarize interesting information flows and critical API usages

12

slide-15
SLIDE 15

Our Goal: Help Automate the Vetting Process

  • Automatically infer security signatures
  • Summarize interesting information flows and critical API usages

12

url send (www.evil.com) amplified local control flow

slide-16
SLIDE 16

Key Challenges

  • Flexible security policies
  • No single policy applies for all addons
  • Classifying Information Flows
  • Binary result (secure or insecure) is not enough
  • Inferring Network Domains
  • Critical to reason about addon’s network communication

13

slide-17
SLIDE 17

Our Solution

  • Construct annotated Program Dependence Graphs (PDG)
  • Use annotated PDGs to generate security signatures
  • Use prefix string analysis to infer network domains communicated with

14

slide-18
SLIDE 18

Our Solution

  • Construct annotated Program Dependence Graphs (PDG)
  • Use annotated PDGs to generate security signatures
  • Use prefix string analysis to infer network domains communicated with

14

slide-19
SLIDE 19

Our Solution

  • Construct annotated Program Dependence Graphs (PDG)
  • Use annotated PDGs to generate security signatures
  • Use prefix string analysis to infer network domains communicated with

14

slide-20
SLIDE 20

Our Solution

  • Construct annotated Program Dependence Graphs (PDG)
  • Use annotated PDGs to generate security signatures
  • Use prefix string analysis to infer network domains communicated with

14

Automatically summarize API usages, interesting information flows (classified based on the type of flow)

slide-21
SLIDE 21

Annotated Program Dependence Graph

  • Use JSAI† to construct a PDG
  • Annotate the edges of PDG with the type of dependency

15

† JSAI is a sound and effjcient JavaScript abstract interpreter we developed.

slide-22
SLIDE 22

16

1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]);

Strong vs. Weak Data Dependency

slide-23
SLIDE 23

16

1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]);

Strong vs. Weak Data Dependency

slide-24
SLIDE 24

16

1 var data = {loc: url, other: 1} 2 send(data[“loc”]); 3 send(data[getString()]);

Strong vs. Weak Data Dependency

slide-25
SLIDE 25

17

5 if (url == "secret.com") 6 send(null);

Local Control Dependency

slide-26
SLIDE 26

17

5 if (url == "secret.com") 6 send(null);

Local Control Dependency

slide-27
SLIDE 27

18

13 try { 14 if (url != "hush-hush.com") 15 throw "irrelevant"; 16 send(null); 17 } catch(x) {};

Syntax-obvious Non-local Control Dependency

14

slide-28
SLIDE 28

18

13 try { 14 if (url != "hush-hush.com") 15 throw "irrelevant"; 16 send(null); 17 } catch(x) {};

Syntax-obvious Non-local Control Dependency

14

slide-29
SLIDE 29

19

18 try { 19 if (url != "mystic.com") 20 obj.prop = 1; 21 send(null); 22 } catch(x) {}

Non-obvious Non-local Control Dependency

slide-30
SLIDE 30

19

18 try { 19 if (url != "mystic.com") 20 obj.prop = 1; 21 send(null); 22 } catch(x) {}

Non-obvious Non-local Control Dependency

slide-31
SLIDE 31

20

7 var arr = ["covert.com", "priv.com"/*,..*/]; 8 var i=0, count=0; 9 while (arr[i] && url != arr[i]) { 10 i++; 11 count++;

} // end while

12 send(count);

Amplified vs. Simple Control Dependencies

slide-32
SLIDE 32

20

7 var arr = ["covert.com", "priv.com"/*,..*/]; 8 var i=0, count=0; 9 while (arr[i] && url != arr[i]) { 10 i++; 11 count++;

} // end while

12 send(count);

Amplified vs. Simple Control Dependencies

slide-33
SLIDE 33

Lattice of Perceived Flow Strength

21

Stronger Flow

slide-34
SLIDE 34

Lattice of Perceived Flow Strength

22

Stronger Flow

data control

slide-35
SLIDE 35

Lattice of Perceived Flow Strength

23

Stronger Flow

amplified not amplified

slide-36
SLIDE 36

Lattice of Perceived Flow Strength

24

Stronger Flow

local non local

slide-37
SLIDE 37

Lattice of Perceived Flow Strength

25

Stronger Flow

syntax obvious non obvious

slide-38
SLIDE 38

Generating Security Signatures

  • Use the PDG to reason about information flow in addons
  • Use PDG annotations to classify flows
  • Output a signature summarizing relevant flows

26

slide-39
SLIDE 39

Generating Security Signatures

  • Use the PDG to reason about information flow in addons
  • Use PDG annotations to classify flows
  • Output a signature summarizing relevant flows

26

url send (www.evil.com) amplified local control flow

slide-40
SLIDE 40

Generating Security Signatures

27

slide-41
SLIDE 41

Generating Security Signatures

27

slide-42
SLIDE 42

Generating Security Signatures

27

slide-43
SLIDE 43

Generating Security Signatures

28

slide-44
SLIDE 44

Generating Security Signatures

29

slide-45
SLIDE 45

Generating Security Signatures

29

slide-46
SLIDE 46

Generating Security Signatures

30

slide-47
SLIDE 47

Generating Security Signatures

31

slide-48
SLIDE 48

Generating Security Signatures

32

slide-49
SLIDE 49

Generating Security Signatures

33

slide-50
SLIDE 50

Generating Security Signatures

33

slide-51
SLIDE 51

Generating Security Signatures

33

url send (www.evil.com) amplified local control flow

slide-52
SLIDE 52

Evaluation

  • Evaluated analysis on 10 real addons from Mozilla repository
  • Manually created security signatures based on submitted addon description
  • Ran the analysis to get inferred signature, compared against our manual

signature

  • Possible experimental outcomes:
  • pass (no unexpected information flow)
  • fail (false unexpected information flow)
  • leak (true unexpected information flow)

34

slide-53
SLIDE 53

Results

35

† † †In all these cases, the failure was due to insufficient precision in the string domain.

slide-54
SLIDE 54

Conclusion

  • Browser addon vetting is hard, needs automation
  • Security signatures are useful to understand security behavior of addons

36

Implementation available under the Downloads link at http://www.cs.ucsb.edu/~pllab

slide-55
SLIDE 55

Acknowledgements

  • Tommy Ashmore and Ben Wiedermann (Harvey Mudd College)
  • Dave Herman (Mozilla Research)
  • Mozilla Addon Vetting Team

37

slide-56
SLIDE 56

38

vineeth@cs.ucsb.edu

Questions?