Revisiting the Chrome Extension Permissions Model Pranav Prakash, - - PowerPoint PPT Presentation

Revisiting the Chrome Extension Permissions Model

Pranav Prakash, Chester Leung

1

2

Courtesy of W3Counter

3

Courtesy of W3Counter

4

2019 Chrome has ~190,000 extensions 2020 Chrome removes 500+ malicious extensions 2008 Google Chrome released 2010 Chrome adds support for extensions

Chrome Extensions...

5

Chrome Extensions...

• Change UI

6

Chrome Extensions...

• Change UI
• Provide additional functionality

7

Chrome Extensions...

• Change UI
• Provide additional functionality
• Integrate with third party apps

8

Extension Ecosystem

• ~1.2B installs

9

Extension Ecosystem

• ~1.2B installs
• 2.6% of installed extensions are paid

10

Extension Ecosystem

• ~1.2B installs
• 2.6% of installed extensions are paid
• 87% have less than 1,000 installs

11

Extension Ecosystem

• ~1.2B installs
• 2.6% of installed extensions are paid
• 87% have less than 1,000 installs
• Only 13 have more than 10 million installs

12

Extension Ecosystem

• Most big extensions backed by a company

13

Extension Ecosystem

• Most big extensions backed by a company

14

Extension Ecosystem

• Most big extensions backed by a company

15

Extension Ecosystem

• Most big extensions backed by a company

16

17

18

It’s a business!

19

https://extensionmonitor.com/blog/breaking-down-the-chrome-web-store-part-2

20

https://extensionmonitor.com/blog/breaking-down-the-chrome-web-store-part-2

21

22

Extension developers were phished!

23

Extensions used for malvertising

24

25

26

Nigelify

27

Nigelify

Link

28

Nigelify

Link Extension

29

Nigelify

Link Extension Credentials

30

Nigelify

Link Extension Credentials

31

Nigelify

Link Extension Credentials Resources

Nigelify

• Made $1000 in < 1 week

32

Nigelify

• Made $1000 in < 1 week
• Affected 100k+ users

33

Nigelify

• Made $1000 in < 1 week
• Affected 100k+ users
• Prevented users from removing extension

34

35

36

Added users to botnet

37

Part of malvertising campaign

Analyzing the threat surface of Chrome’s extension APIs

38

Chrome

• Designed with security in

mind

39

• Isolation, separation of

privilege 1

1 Barth, Adam, et al. "Protecting browsers from extension vulnerabilities." (2010).

Chrome Extension Architecture

40 runtime.sendMessage

Manifests

"background": { "persistent": false, "scripts": [ "js/background.js" ] }, "content_scripts": [ { "js": [ "js/content.js"] "matches": ["*://*.foo.com"], "run_at": "document_start" }], "permissions": ["bookmarks"]

• Structure of extension

explicitly declared

41

• Permissions enumerated

Weaknesses of Permission Model

• While limited by sandboxing/isolation, malicious

developers may not adhere to “principle of least privilege”

42

Analyzing the Chrome APIs

• Inspect the APIs in each permission group

43

Analyzing the Chrome APIs

44

Analyzing the Chrome APIs

• Primary objectives of malicious extension

○ Data exfiltration ○ Website tampering ○ Phishing

45

Analyzing the Chrome APIs

46

• CIA Triad: Confidentiality, Integrity, Availability

Analyzing the Chrome APIs

• Classify aligned to triad

○ Info disclosure ○ Phishing ○ State manipulation ○ Obfuscation

47

• CIA Triad: Confidentiality, Integrity, Availability

Analysis

48

Analysis

• Majority of APIs can be abused

49

• Different methods within same permission have

different threat profiles

Reverse-engineering a malicious extension

50

Version History

51

Malicious buyout

• Rather than phish developer, outright buy an extension

52

Malicious buyout

• Rather than phish developer, outright buy an extension

53

https://portswigger.net/daily-swig/when-browser-extensions-go-rogue

Why so many users?

• Possibly ranked high in google search?
• Are all installs legitimate?

54

Permissions

Nothing too abnormal...

55

Suspicious Obfuscation

56

A seemingly benign jpeg

57

Wait that’s not a jpeg...

> file promo.jpg PNG image data, 1280 x 800, 8-bit/color RGBA, non-interlaced

58

What’s in the alpha channel?

59

Steganographic Obfuscation

60

Takeaways?

• Limitations of static/dynamic analysis

61

Takeaways?

• Limitations of static/dynamic analysis

62

• Permissions system has unnecessarily broad scope

Takeaways?

• Limitations of static/dynamic analysis

63

• Permissions system has unnecessarily broad scope

Mitigations to limit power of malicious extensions

64

Mitigation: Fine-grained permissions

• Scope on method, not permission category

65

• Should not be able to update tabs if only need to

refresh them

Existing permissions

66

"permissions": [ "tabs", "*://*.google.com/" ],

Existing permissions

67

"permissions": [ "tabs", "*://*.google.com/" ],

Update existing tabs? Spawn new tabs?

Wildcard Host

Nothing too abnormal...?

68

Scope network access

• Tie network host permission to parent permission

69

"permissions": [ "tabs", "*://*.google.com/" ], "permissions": [ "tabs.executeScript" : { "*://*.google.com/" } ],

Existing permissions

70

"permissions": [ "tabs", "*://*.google.com/" ],

Update existing tabs? Spawn new tabs?

Revised permissions

71

"permissions": [ "tabs.executeScript" : { "*://*.google.com/" } ],

Read and manipulate your data on all google.com sites

"permissions": [ "tabs", "*://*.google.com/" ],

Backwards Compatibility

• Static analysis to transparently upgrade manifests
• Prevents obfuscated API calls

72

Mitigation: Runtime Permissions

73

Mitigation: Runtime Permissions

• Permission dialog every time an extension wants to run

74

Today: Chrome Optional Permissions Feature

75

Today: Chrome Optional Permissions Feature

• Requested additional permissions during runtime

76

Today: Chrome Optional Permissions Feature

• Request additional permissions during runtime
• Better security and information to users

77

Today: Chrome Optional Permissions Feature

• Requested additional permissions during runtime
• Better security and information to users

78

Runtime Permission Dialog

79

Runtime Permission Dialog

80

Bookmarks Navigator requests

Runtime Permission Dialog

81

Bookmarks access

Bookmarks Navigator requests

Runtime Permission Dialog

82

Bookmarks access

Bookmarks enable easy access to your favorite sites

Bookmarks Navigator requests

Runtime Permission Dialog

83

Bookmarks access

Bookmarks enable easy access to your favorite sites We’ll ask for permission every time you open a new tab

Bookmarks Navigator requests

Runtime Permission Dialog

84

Bookmarks access

Bookmarks enable easy access to your favorite sites We’ll ask for permission every time you open a new tab

Deny Grant

Bookmarks Navigator requests

Impact

• On developer
• On user

85

Impact on Developer

86

Under the Hood

87

Permission Dialog Context

• Two ways to call a chrome.* API

88

Rule-Based Triggers

89

Logic Triggers

90

Config Example

91

{ “Logic_triggers” : { “message.js:L32” : “You’ve clicked the set timer button in our extension

• n your navigation bar”,

// More triggers } }

Impact on User

• Usability / security tradeoff

92

Usability

• Windows Vista UAC disaster

93

Usability

• Windows Vista UAC disaster

94

Usability

• Windows Vista UAC disaster
• Users’ skimming / not reading dialogs

95

Usability Solutions

96

Usability Solutions

97

Usability Solutions

• Standardized dialog interface that conveys a sense of

danger

98

Usability Solutions

• Standardized dialog interface that conveys a sense of

danger

• Conditioned-safe ceremony

99

Evaluation: Mitigation Effectiveness

• User Agent Switcher: exfiltrates visited URLs and redirects

users

100

UA Switcher: Still Dangerous?

• Typical user will not switch user-agent often

101

UA Switcher: Still Dangerous?

• Typical user will not switch user-agent often
• Extension may attempt to run at unexpected times

102

Future Work

• Prototype

103

Future Work

• Prototype
• User study

104

Thank you!

105