privacy leakage attacks in browser by colluding extensions
play

Privacy Leakage Attacks in Browser by Colluding Extensions - PowerPoint PPT Presentation

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy


  1. Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy 10 th International Conference of Information System and Security 16-20 Dec 2014, IDRBT, Hyderabad December 20, 2014 Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 1 / 57

  2. Outline 1 Browser Extensions An Overview XPCOM Framework 2 Threats with Browser Extensions Threats Overview Literature 3 Colluding Browser Extensions Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation 4 Conclusions Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 2 / 57

  3. Browser Extensions Outline 1 Browser Extensions An Overview XPCOM Framework 2 Threats with Browser Extensions Threats Overview Literature 3 Colluding Browser Extensions Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation 4 Conclusions Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 3 / 57

  4. Browser Extensions An Overview Third party code in Firefox • Extension or Add-on • Plug-in • APIs Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 4 / 57

  5. Browser Extensions An Overview Powerful Privileges for Extensions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 5 / 57

  6. Browser Extensions An Overview Firefox Extensions • What is Firefox Extension ? • Extensions are third-party softwares. • Extensions are add-ons. • Brighter Side? • Adds unforeseen rich functionality to the browser. • Customize and extend core functionality of browser. • Enhances browsing experience. • Darker Side? • Can be vulnerable and malicious. • Once exploited, grants system level access to attacker. • High privileges can cause critical attacks. Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 6 / 57

  7. Browser Extensions XPCOM Framework XPCOM Architectural View • Cross-platform interaction framework provides services within and across browser. • Development technologies: CSS, RDF, XUL, XBL, JavaScript. • Interact with internal browser components, host file system, network, etc. • Access to Browser APIs. Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 7 / 57

  8. Browser Extensions XPCOM Framework XPCOM Interface • Interfaces are set of functionalities that is implemented by XPCOM components. • An extension can call any functionality provided by the XPCOM component as described in interfaces. • For example, a nsIFile interface describes properties and functions that can be performed on files such as, read, write, execute. Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 8 / 57

  9. Threats with Browser Extensions Outline 1 Browser Extensions An Overview XPCOM Framework 2 Threats with Browser Extensions Threats Overview Literature 3 Colluding Browser Extensions Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation 4 Conclusions Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 9 / 57

  10. Threats with Browser Extensions Threats Overview Threats Categorizations • Privacy leakage (without informing users) • Vulnerable or malicious extension may leak private information such as username, password, cookies. • Breach confidentiality and integrity of user data. E.g. Banking Trojan: Man-in-the-Browser attack. • Privilege escalation • Gaining Browser and OS level access by leveraging existing Browser and system-level vulnerabilities. • Executing critical applications • Accessing information from web applications. • Executing arbitrary process. • Access cross-domain network. • Access files from host file system. Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 10 / 57

  11. Threats with Browser Extensions Threats Overview Point-of-Attacks • Browser Document Object Model (DOM) • Access to web page information, and cookies. • Cross-Platform Component Object Model (XPCOM) interfaces. • Access to system level resources, such as, network, process, host file system. • JavaScript Methods • Malicious data injection points. • Browser APIs • Access to Browser resources, such as, bookmarks, history, cookies. Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 11 / 57

  12. Threats with Browser Extensions Threats Overview Extension-based Attack: A Real Example • A MitB (Man-in-the-Browser) Trojan attack is a critical threat effecting consumers and business banking customers. • A malicious extension can invoke actions like: • Modifies web transactions. • Manipulates web page information. • The challenges faced by user: • The attack is successfully executed on secured channel protected with security mechanisms like SSL/PKI, two or three factor authentication. • Able to access information on the fly. Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 12 / 57

  13. Threats with Browser Extensions Literature Can we stop malicious and vulnerable Extensions ?? • Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing Information Flow in JavaScript-Based Browser Extensions. In Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC’09) . • Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, and Marianne Winslett. 2011. Vetting Browser Extensions for Security Vulnerabilities with VEX. Commun. ACM 54, 9 (Sept.2011). • Kaan Onarlioglu, Mustafa Battal, William Robertson, and Engin Kirda. 2013. Securing Legacy Firefox Extensions with SENTINEL. In Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA-13) . Springer-Verlag, 122-138. • Hossain Shahriar, Komminist Weldemariam, Mohammad Zulkernine, and Thibaud Lutellier. 2014. Effective detection of vulnerable and malicious browser extensions. Computers & Security 47 (2014), 66-84. • ... Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 13 / 57

  14. Threats with Browser Extensions Literature Can we stop malicious and vulnerable Extensions ?? Mohan Dhawan and Vinod Ganapathy. 2009. Analyzing Information Flow in JavaScript-Based Browser Extensions. In Proceedings • of the 2009 Annual Computer Security Applications Conference (ACSAC’09) . • Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, and Marianne Winslett. 2011. Vetting Browser Extensions for Security Vulnerabilities with VEX. Commun. ACM 54, 9 (Sept.2011). • Kaan Onarlioglu, Mustafa Battal, William Robertson, and Engin Kirda. 2013. Securing Legacy Firefox Extensions with SENTINEL. In Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA-13) . Springer-Verlag, 122â138. • Hossain Shahriar, Komminist Weldemariam, Mohammad Zulkernine, and Thibaud Lutellier. 2014. Effective detection of vulnerable and malicious browser extensions. Computers & Security 47 (2014), 66â84. • ... Lets assume that these methods are full proof solutions.... Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 14 / 57

  15. Colluding Browser Extensions Outline 1 Browser Extensions An Overview XPCOM Framework 2 Threats with Browser Extensions Threats Overview Literature 3 Colluding Browser Extensions Colluding Extensions Threat Model Attack Scenarios Experimental Results Mitigation 4 Conclusions Conclusions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 15 / 57

  16. Colluding Browser Extensions Colluding Extensions Objective • Assuming that attacks caused due to single extension are mitigated. • Can we bypass these mitigation techniques ??? Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 16 / 57

  17. Colluding Browser Extensions Colluding Extensions Objective • Assuming that attacks caused due to single extension are mitigated. • Can we bypass these mitigation techniques ??? YES we can.... Using two or more Colluding extensions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 17 / 57

  18. Colluding Browser Extensions Colluding Extensions Point of weakness • Weakness in JavaScript engine (SpiderMonkey) for Firefox browser in handling the JavaScript objects. • SpiderMonkey provides two abstractions for executing scripts: JSRuntime and JSContext . • Mozilla Firefox uses one JSRuntime for the entire browser. • The JSContext is a child of the JSRuntime . Many threads can be possible • Objects may be shared among JSContexts within a JSRuntime . • All the objects created during the execution of a script are allocated on the Global Object Heap. Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 18 / 57

  19. Colluding Browser Extensions Colluding Extensions Inter component communication (ICC) in Firefox Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 19 / 57

  20. Colluding Browser Extensions Colluding Extensions Collusion between two Extensions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 20 / 57

  21. Colluding Browser Extensions Colluding Extensions Collusion between two Extensions Anil Saini et. al. (MNIT-Jaipur) ICISS-2014 December 20, 2014 21 / 57

Recommend


More recommend