the most dangerous code in the browser
play

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, - PowerPoint PPT Presentation

Jan 06, 2023 •175 likes •591 views

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions AdBlock NYTimes Chase Evernote Core browser Web

  1. The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

  2. Modern web experience

  3. Modern web experience

  4. Modern web experience Web apps Extensions AdBlock … NYTimes Chase Evernote Core browser

  5. Web app security • Trust model: malicious code ❌ NYTimes Chase Web APIs Core browser • Apps are isolated according to same-origin policy • Apps are constrained to Web APIs (e.g., DOM) ➤ They cannot access arbitrary files, devices, etc.

  6. Extension security? NYTimes AdBlock Privileged APIs Core browser • Extensions need direct access to app DOMs ➤ They modify app style, content, behavior, … • Extensions need privileged APIs ➤ To fetch/store cross-origin content, to read/modify history and bookmarks, to create new tabs, etc.

  7. Chrome extension security model • Trust model: extensions are benign-but-buggy NYTimes AdBlock • Privilege separate extension: core and content ➤ Protects vulnerable extension from malicious apps • Run extensions with least privilege ➤ Limits damage due to exploits

  8. 
 Least privilege via permission system • Extensions declare necessary permissions 
 { "name": “AdBlock Plus", "version": "2.1.10", ... "permissions": [ "http://*/*", "https://*/*", "contextMenus" ], ... • Users must grant permissions at install time

  9. What does mean? • Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com • AdBlock must be a special case, right? ➤ 71.6% of top 500 extensions need this privilege!

  10. What does mean? • Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com • AdBlock must be a special case, right? ➤ 71.6% of top 500 extensions need this privilege!

  11. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 0.8 100000 0.6 10000 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  12. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  13. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 # of users 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  14. It gets worse with popularity Removed from Chrome Web Store 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 # of users 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  15. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  16. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  17. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  18. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  19. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  20. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  21. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  22. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  23. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  24. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  25. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  26. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker ❌ gmail.com evil.gov ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  27. Safely read and modify pages?

  28. Safely read and modify pages? ✗

  29. 
 
 Safely read and modify pages? • Idea: tie extension script with app page ➤ Impose at least same-origin policy on extension 
 NYTimes AdBlock ❌ chase.com • Challenge: read data from page and leak it by injecting content into page’s DOM • Solution: taint extension, write to isolated DOM ➤ Loads due to extension restricted: confined!

  30. 
 
 Safely read and modify pages? • Idea: tie extension script with app page ➤ Impose at least same-origin policy on extension 
 NYTimes AdBlock ❌ chase.com • Challenge: read data from page and leak it by injecting content into page’s DOM • Solution: taint extension, write to isolated DOM ➤ Loads due to extension restricted: confined!

  31. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  32. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  33. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  34. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  35. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes Evernote

Recommend

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter WHO AM I? 2 WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the

630 views • 33 slides
RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS One global namespace Often inline JS code embedded directly in HTML Many <script> tags with hidden ordering dependencies Very

362 views • 15 slides
Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON

Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON

Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON SMARTPHONE, TABLET OR LAPTOP 2. GO TO www.slido.com 3. ENTER CODE #Q358 TWEET ABOUT THE EVENT #WokinghamCHASC Introduction David Cahill (BHFT Wokingham

472 views • 29 slides
In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at http://marijnhaverbeke.nl/talks/goto2012) a 3-part talk: state of the art inspirational demo implementation war stories textarea schmextarea who's who ACE

939 views • 24 slides
VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote Mobile Lightweight Quick Fully-Featured Text Editor Possible Features SCM Integration Sharing ... Kellen Donohue (kellend@{cs,uw}) , Zach

380 views • 3 slides
Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals:

Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals:

Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals: -Create two projects: web app and Eclipse plugin which could assist developers in the process of browsing/analyzing binary code -Create an abstract layer

277 views • 13 slides
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Possibly with multiple tenants Setting OS: users / processes Browser: webpages / browser extensions Cloud: virtual machines (VMs)

272 views • 25 slides
Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen &

Detection of Browser Fingerprinting by Static JavaScript Code Classification Sjors Haanen & Tim van Zalingen UvA February 6, 2018 Supervisors (KPMG): Aidan Barrington & Ruben de Vries Research Project 82 Sjors Haanen & Tim van

331 views • 30 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
The Whiteboard Interviewer In-browser chat tool web app for code interviews Christina Quan

The Whiteboard Interviewer In-browser chat tool web app for code interviews Christina Quan

The Whiteboard Interviewer In-browser chat tool web app for code interviews Christina Quan (quanc) Kunxuan Wang (kunxw) Helps interviewers better understand interviewees thought processes Helps interviewees better communicate their

473 views • 3 slides
Handling files Thierry Sans Browser restrictions It is impossible to write a piece of code

Handling files Thierry Sans Browser restrictions It is impossible to write a piece of code

Handling files Thierry Sans Browser restrictions It is impossible to write a piece of code that reads an arbitrary file in (server-side) Javascript Only files selected by users through file input forms can be processed <form . . .

493 views • 9 slides
Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road Chi Chiara Bersani, Claudio Roncoli B i Cl di R li University of Genova, Department of Communication, Computer and System Science DIST 16145

685 views • 39 slides
The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the

The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the

The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the Future? Ubiquitous Dynamic Instant updates Interactive Programs Pages Web Applications Remote code? Are you crazy?? Integrity Compromise

509 views • 48 slides
Refactoring Code Professor Larry Heimann Information Systems Carnegie Mellon University Why

Refactoring Code Professor Larry Heimann Information Systems Carnegie Mellon University Why

Refactoring Code Professor Larry Heimann Information Systems Carnegie Mellon University Why refactor code that works? There are better ways to do it Repetition is dangerous Maintaining spaghetti code is hard Dont want someone

618 views • 6 slides
Animal Permitting Proposed Code Revisions Current Picture Permits required for certain

Animal Permitting Proposed Code Revisions Current Picture Permits required for certain

Animal Permitting Proposed Code Revisions Current Picture Permits required for certain animals Currently required City Health Code 221.05 ( in place for approx. 23 years) Dangerous/Wild Animals covered in Ohio Revised Code

668 views • 29 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
Tummy Troubles in the www.pollev.com/INTLeast c. Type or tap your response thats it!

Tummy Troubles in the www.pollev.com/INTLeast c. Type or tap your response thats it!

6/24/2019 CISTM16 Wi-Fi Access 1.Choose HILTON MEETINGS as your wireless connection. 2.Open any web browser. 3.When prompted, select I have a promotion code 4.Use ISTM19 code to complete connection. 1 2 Using the Live Audience Response

229 views • 9 slides
Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does Standard Tor is easy to block GetTor helps you get Tor Browser GetTor helps you get Tor Browser Tor Browser ships with default

567 views • 24 slides
Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

415 views • 37 slides
Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

655 views • 34 slides
There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous to most dangerous: Teddy Bear Black Bear (U. americanus) Brown or Grizzly Bear (U. Arctos) Chicago Bear (D. Butkus) Two types exist in New Mexico

420 views • 25 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
THE BROWSER IS DEAD Dan North Dan North & Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North & Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North & Associates LONG LIVE THE BROWSER! Dan North Dan North & Associates The gangs 1990: Tim Berners-Lee - (WorldWideWeb) 1993: NCSA Mosaic 1994: Netscape - Navigator 1995: Microsoft -

971 views • 21 slides
CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the built in browser create an Intent and start the Activity 2 WebView A View that display web pages basis for creating your own web browser OR

1.28k views • 54 slides

More recommend