the most dangerous code in the browser
play

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, - PowerPoint PPT Presentation

Jan 06, 2023 •175 likes •591 views

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions AdBlock NYTimes Chase Evernote Core browser Web

  1. The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

  2. Modern web experience

  3. Modern web experience

  4. Modern web experience Web apps Extensions AdBlock … NYTimes Chase Evernote Core browser

  5. Web app security • Trust model: malicious code ❌ NYTimes Chase Web APIs Core browser • Apps are isolated according to same-origin policy • Apps are constrained to Web APIs (e.g., DOM) ➤ They cannot access arbitrary files, devices, etc.

  6. Extension security? NYTimes AdBlock Privileged APIs Core browser • Extensions need direct access to app DOMs ➤ They modify app style, content, behavior, … • Extensions need privileged APIs ➤ To fetch/store cross-origin content, to read/modify history and bookmarks, to create new tabs, etc.

  7. Chrome extension security model • Trust model: extensions are benign-but-buggy NYTimes AdBlock • Privilege separate extension: core and content ➤ Protects vulnerable extension from malicious apps • Run extensions with least privilege ➤ Limits damage due to exploits

  8. 
 Least privilege via permission system • Extensions declare necessary permissions 
 { "name": “AdBlock Plus", "version": "2.1.10", ... "permissions": [ "http://*/*", "https://*/*", "contextMenus" ], ... • Users must grant permissions at install time

  9. What does mean? • Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com • AdBlock must be a special case, right? ➤ 71.6% of top 500 extensions need this privilege!

  10. What does mean? • Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com • AdBlock must be a special case, right? ➤ 71.6% of top 500 extensions need this privilege!

  11. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 0.8 100000 0.6 10000 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  12. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  13. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 # of users 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  14. It gets worse with popularity Removed from Chrome Web Store 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 # of users 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  15. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  16. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  17. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  18. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  19. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  20. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  21. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  22. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  23. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  24. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  25. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  26. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker ❌ gmail.com evil.gov ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  27. Safely read and modify pages?

  28. Safely read and modify pages? ✗

  29. 
 
 Safely read and modify pages? • Idea: tie extension script with app page ➤ Impose at least same-origin policy on extension 
 NYTimes AdBlock ❌ chase.com • Challenge: read data from page and leak it by injecting content into page’s DOM • Solution: taint extension, write to isolated DOM ➤ Loads due to extension restricted: confined!

  30. 
 
 Safely read and modify pages? • Idea: tie extension script with app page ➤ Impose at least same-origin policy on extension 
 NYTimes AdBlock ❌ chase.com • Challenge: read data from page and leak it by injecting content into page’s DOM • Solution: taint extension, write to isolated DOM ➤ Loads due to extension restricted: confined!

  31. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  32. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  33. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  34. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  35. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes Evernote

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter WHO AM I? 2 WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the

630 views • 33 slides
RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS One global namespace Often inline JS code embedded directly in HTML Many <script> tags with hidden ordering dependencies Very

362 views • 15 slides
Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON

Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON

Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON SMARTPHONE, TABLET OR LAPTOP 2. GO TO www.slido.com 3. ENTER CODE #Q358 TWEET ABOUT THE EVENT #WokinghamCHASC Introduction David Cahill (BHFT Wokingham

472 views • 29 slides
In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at http://marijnhaverbeke.nl/talks/goto2012) a 3-part talk: state of the art inspirational demo implementation war stories textarea schmextarea who's who ACE

939 views • 24 slides
VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote Mobile Lightweight Quick Fully-Featured Text Editor Possible Features SCM Integration Sharing ... Kellen Donohue (kellend@{cs,uw}) , Zach

380 views • 3 slides
Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals:

Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals:

Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals: -Create two projects: web app and Eclipse plugin which could assist developers in the process of browsing/analyzing binary code -Create an abstract layer

277 views • 13 slides
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Possibly with multiple tenants Setting OS: users / processes Browser: webpages / browser extensions Cloud: virtual machines (VMs)

272 views • 25 slides
Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen & Tim van Zalingen UvA February 6, 2018 Supervisors (KPMG): Aidan Barrington & Ruben de Vries Research Project 82 Sjors Haanen & Tim van

331 views • 30 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
The Whiteboard Interviewer In-browser chat tool web app for code interviews Christina Quan

The Whiteboard Interviewer In-browser chat tool web app for code interviews Christina Quan

The Whiteboard Interviewer In-browser chat tool web app for code interviews Christina Quan (quanc) Kunxuan Wang (kunxw) Helps interviewers better understand interviewees thought processes Helps interviewees better communicate their

473 views • 3 slides
Handling files Thierry Sans Browser restrictions It is impossible to write a piece of code

Handling files Thierry Sans Browser restrictions It is impossible to write a piece of code

Handling files Thierry Sans Browser restrictions It is impossible to write a piece of code that reads an arbitrary file in (server-side) Javascript Only files selected by users through file input forms can be processed <form . . .

493 views • 9 slides
Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road Chi Chiara Bersani, Claudio Roncoli B i Cl di R li University of Genova, Department of Communication, Computer and System Science DIST 16145

685 views • 39 slides
The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the

The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the

The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the Future? Ubiquitous Dynamic Instant updates Interactive Programs Pages Web Applications Remote code? Are you crazy?? Integrity Compromise

509 views • 48 slides
Refactoring Code Professor Larry Heimann Information Systems Carnegie Mellon University Why

Refactoring Code Professor Larry Heimann Information Systems Carnegie Mellon University Why

Refactoring Code Professor Larry Heimann Information Systems Carnegie Mellon University Why refactor code that works? There are better ways to do it Repetition is dangerous Maintaining spaghetti code is hard Dont want someone

618 views • 6 slides
Animal Permitting Proposed Code Revisions Current Picture Permits required for certain

Animal Permitting Proposed Code Revisions Current Picture Permits required for certain

Animal Permitting Proposed Code Revisions Current Picture Permits required for certain animals Currently required City Health Code 221.05 ( in place for approx. 23 years) Dangerous/Wild Animals covered in Ohio Revised Code

668 views • 29 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
Light-Duty Slides Specifications at a Glance Products in this Model Max. Load Travel Cross

Light-Duty Slides Specifications at a Glance Products in this Model Max. Load Travel Cross

Light-Duty Slides Specifications at a Glance Products in this Model Max. Load Travel Cross Detent Disconnect Page Capacity Section Width category carry loads 2601 75 lbs. Full .50" Hold-in None 13 from 75 to 108 [34 kg]

369 views • 4 slides
Cinematic Drone O S C A R F R A S S E R Cinematic Shots COMPOSITION COVERAGE CONTINUITY

Cinematic Drone O S C A R F R A S S E R Cinematic Shots COMPOSITION COVERAGE CONTINUITY

Cinematic Drone O S C A R F R A S S E R Cinematic Shots COMPOSITION COVERAGE CONTINUITY LIGHT OPTICS STABILIZATION SLOW MOTION EXPOSURE COLOR GRADING Feeling Emotion Wonder Wheel Feeling Emotion GRAMMAR OF THE SHOT A shot is the

1.02k views • 60 slides
Balancing a career in science with raising a family Prof. Ramit Mehr, Bar-Ilan University, Israel

Balancing a career in science with raising a family Prof. Ramit Mehr, Bar-Ilan University, Israel

Balancing a career in science with raising a family Prof. Ramit Mehr, Bar-Ilan University, Israel My personal story Career issues for women scientists and anyone trying to balance career and family life (... and suggestions for solutions)

133 views • 11 slides
Supersaturation for Intersecting Families Shagnik Das University of California, Los Angeles / ETH

Supersaturation for Intersecting Families Shagnik Das University of California, Los Angeles / ETH

Supersaturation for Intersecting Families Shagnik Das University of California, Los Angeles / ETH Z urich April 1, 2014 Joint work with Wenying Gan and Benny Sudakov Supersaturation for Intersecting Families Shagnik Das University of

1.09k views • 92 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No

Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No

Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No longer expiremental since 1.1.0 Can run anywhere where JS runs Websites NodeJS Browser Extensions Can call JS the

250 views • 24 slides
5.1 CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 3554 -

5.1 CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 3554 -

CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 DRAWER SLIDES 10032 Precision Slides Use for box drawer or pedestal file drawers up to 20 wide. Manufactured by an ISO 9001 registered plant of heat hardened

312 views • 13 slides
C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

Stream Reasoning for Linked Data M. Balduini, J-P Calbimonte, O. Corcho, D. Dell'Aglio, E. Della Valle http://streamreasoning.org/events/sr4ld2014 C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

707 views • 37 slides

More recommend