intercepting suspicious chrome extension actions
play

Intercepting Suspicious Chrome Extension Actions Michael Cypher - PowerPoint PPT Presentation

Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing Imperial College London June 26, 2017 Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 1 / 31


  1. Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing Imperial College London June 26, 2017 Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 1 / 31

  2. Chrome Browser User Usage Most popular desktop browser (62%) and browser in general (52%) and is used to execute sensitive web applications Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 2 / 31

  3. Chrome Browser Multi-process Architecture Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 3 / 31

  4. Chrome Extensions The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

  5. Chrome Extensions The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions! Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

  6. Chrome Extensions The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions! Extensions can execute content scripts on pages (if granted permission by users) Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

  7. Chrome Extensions The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions! Extensions can execute content scripts on pages (if granted permission by users) have access powerful Chrome extension APIs Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

  8. Chrome Extensions The same-origin policy prevents attackers from executing arbitrary code on web-pages, right? Not if they’re extensions! Extensions can execute content scripts on pages (if granted permission by users) have access powerful Chrome extension APIs are assumed to be benign-but-buggy and not malicious ! Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 4 / 31

  9. Extension System Architecture Security Model Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 5 / 31

  10. Malicious Extensions Permission model does not protect users from malicious extensions! Malicious extensions may provide useful functionality Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 6 / 31

  11. Malicious Extensions Permission model does not protect users from malicious extensions! Malicious extensions may provide useful functionality Content scripts can carry out attacks using standard Web APIs Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 6 / 31

  12. Malicious Extensions Threats Several threats are widespread on Chrome Web Store 1 Facebook hijacking present in 4,809 extensions (2012 - 2015) Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

  13. Malicious Extensions Threats Several threats are widespread on Chrome Web Store 1 Facebook hijacking present in 4,809 extensions (2012 - 2015) 2 Ad Injection present in 3,496 extensions Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

  14. Malicious Extensions Threats Several threats are widespread on Chrome Web Store 1 Facebook hijacking present in 4,809 extensions (2012 - 2015) 2 Ad Injection present in 3,496 extensions 3 User Tracking Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

  15. Malicious Extensions Threats Several threats are widespread on Chrome Web Store 1 Facebook hijacking present in 4,809 extensions (2012 - 2015) 2 Ad Injection present in 3,496 extensions 3 User Tracking Google automatically analyzes extensions for malice in sandboxes before publishing them but provides no guarantees Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 7 / 31

  16. Project Goals 1 Protect users from malicious extensions and provide security guarantees Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 8 / 31

  17. Project Goals 1 Protect users from malicious extensions and provide security guarantees 2 Break minimal benign web applications and extensions Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 8 / 31

  18. Project Goals 1 Protect users from malicious extensions and provide security guarantees 2 Break minimal benign web applications and extensions 3 Not incur a significant performance overhead Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 8 / 31

  19. Intercepting Suspicious Chrome Extension Actions Our approach... Analyze extension behaviour at run-time and ask users to allow or prevent suspicious actions! Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 9 / 31

  20. Intercepting Suspicious Chrome Extension Actions Project Challenges Project challenges What extension actions do we consider suspicious? Differentiating between extension actions and other script actions Improving user experience and suspicious action classification Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 10 / 31

  21. Suspicious Actions Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click() Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

  22. Suspicious Actions Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click() Node.appendChild() (45% of malware) Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

  23. Suspicious Actions Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click() Node.appendChild() (45% of malware) XMLHttpRequest.send() (52% of malware) Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

  24. Suspicious Actions Focus on content script operations and add permissions around standard Web APIs that harm users EventTarget.click() Node.appendChild() (45% of malware) XMLHttpRequest.send() (52% of malware) Filter out benign events, or operations on elements not attached to DOM. Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 11 / 31

  25. Suspicious Actions Configuring Suspicious Actions Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 12 / 31

  26. Intercepting Suspicious Chrome Extension Actions Project Challenges Project challenges What extension actions do we consider suspicious? Differentiating between extension actions and other script actions Improving user experience and suspicious action classification Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 13 / 31

  27. Detecting Extension Actions Alternatives Neither approach provides security guarantees Measuring the ordering and frequency of events Transforming content script JavaScript to taint methods Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 14 / 31

  28. Detecting Extension Actions Using the Isolated World Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 15 / 31

  29. Detecting Extension Actions Using the Isolated World Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 15 / 31

  30. Script Injection Executing Scripts in the Main World Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 16 / 31

  31. Script Injection Executing Scripts in the Main World Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 16 / 31

  32. Script Injection Executing Scripts in the Main World Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 16 / 31

  33. Intercepting Suspicious Chrome Extension Actions Project Challenges Project challenges What extension actions do we consider suspicious? Differentiating between extension actions and other script actions Improving user experience and suspicious action classification Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 17 / 31

  34. Describing Suspicious Actions Improving User Experience Users need to be able to correctly classify suspicious actions Let web-pages describe elements themselves Highlight or scroll to element under question Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 18 / 31

Recommend


More recommend