An Analysis of the Mozilla Jetpack Extension Framework

Rezwana Karim, Mohan Dhawan, Vinod GanapathyComputer Science, Rutgers University

Chung-cheih Shan Indiana University

6/1/2012 ECOOP’12

Browser Extensions

• Enhance browser functionality• Customize to meet user need

• Unrestricted access to privileged resource

Rezwana Karim 2

Problems in legacy extensions

3Rezwana Karim

www.evil.com

• Insecure Programming Practice

Exploitable vulnerability

[Barth et al., NDSS‘10] [Bhandhakavi et al., Usenix Security‘10]

Jetpack• Mozilla’s new extension development

technology

• Extension structured as a collection of modules

• Recommends – Principle of Least Authority (POLA)

– Privilege separation

• Upfront permission specification

• Goal : Limit ill effects of vulnerable extensions

4Rezwana Karim

Structure of Weather extension in Jetpack

Rezwana Karim 5

Sensitive resourcesSensitive resources

Core modules FileFile NetworkNetwork

MainMain Extension modules

Modularity does not guarantee security

6

FileFile NetworkNetwork

MainMain

Rezwana Karim

Analysis of Jetpack framework

• Goal: Verifying conformance to security principles in Jetpack modules– Focus on adherence to POLA and privilege

separation

• Beacon: Capability flow analysis tool– 36 programming bugs in real-world

extensions– 10 instances of POLA violation– Results acknowledged by Mozilla

7Rezwana Karim

Module Interaction

8

var file = require(“file”);file.readFile (“zipCodeFile”);. . .

Main

var fileSystemPtr = accessToFileSystem();exports.readFile = function readFile(fileName){

//read the content of fileName. . .// return the content. . .

};

File

Rezwana Karim

Capabilities

Rezwana Karim 9

• Privilege to access sensitive resources• Bookmark, cookies, file, password, network etc.

• Ways to acquire

var fileSystemPtr = accessToFileSystem(); exports.fileSystemPtr = fileSystemPtr;

File

var fileSystemPtr = require(“File”).fileSystemPtr;

Main

Capability leaks• Inadvertent leaks of pointers to privileged

resources– Direct references to privileged resources

– Functions returning references to privileged resources

10Rezwana Karim

var fileSystemPtr = accessToFileSystem();

exports.fileSystemPtr = fileSystemPtr;

exports.getFileSystem = function(){ return fileSystemPtr;}

File

Detecting capability leaks

11

FileFile NetworkNetwork

MainMain

Rezwana Karim

Capability flow analysis

• Static analysis of JavaScript modules

• Information flow – Taint: capability

– Source : privileged resource access

– Sink: exports interface

• Call graph based

• Context and Flow insensitive– Static Single Assignment (SSA) representation

gives a degree of flow-sensitivity

12Rezwana Karim

Capability flow in object hierarchy

13

aa

xx yy

pp zz

Rezwana Karim

var a = { x : object, y : { p : fileSystemPtr, z : object }}

Implementation of Beacon

14

Call graph generatorCall graph generator

SSA analyzer

SSA analyzer

Inference engine

Inference engineSSA

format

Imported module

summaries

Imported module

summaries

Rules for JS to Datalog translation

Taintinference

rules

Initial facts

Points-torules

Heap allocation

Rezwana Karim

Capabilityanalysis report

• 2.8k lines of Java, Datalog• Tools Used : WALA, DES

Capability flow in object hierarchy

15

aa

xx yy

pp zz

ptsTo(va, ha)

ptsTo(vy, hy)

ptsTo(vz, hz)ptsTo(vp, hp)

ptsTo(vx, hx)

heapPtsTo(hy, z, hz)

heapPtsTo(ha, y, hy)

heapPtsTo(hy, p, hp)

var a ={ x : object, y:{ p: fileSystemPtr, z: object }}

isTainted(hp, file)

isTainted(hy, file)

isTainted(ha, file)

Rezwana Karim

store(vy, p, vp)heapPtsTo(ha, x, hx)

[Gatekeeper, Guarnieri et al., Usenix Security’09]

Evaluation goals

• Evaluate Jetpack architecture, adherence to two principles– Privilege separation– Principle of least authority (POLA)

• Identify modules– Capability leaks– Violate privilege separation– Overprivileged; violate POLA

16Rezwana Karim

Evaluation

• Over 600 Jetpack modules– 77 core modules– Modules from 359 Jetpack extensions– 68k lines of JavaScript code

• Performance– On average, couple of minutes, 200 MB – tab-browser.js (~25 KB)

• 30mins and 243MB

17Rezwana Karim

Capability leak

• 36 Leaks in over 600 modules– 12 in 4 core modules– 24 in extension modules

18

Core Modules Capability Leak Mechanism Essential

tabs/utils Active tab, browser window and tab container

Function return yes

window-utils Browser window Function return yes

xhr Reference to the XMLHttpRequest object

Property of this object

no

xpcom Entire XPCOM utility module

Exported property no

Rezwana Karim

Capability leaks: extension module

19Rezwana Karim

• 24 leaks in 359 extensions

Extension Capability Count

Bookmarks Deiconizer

Sensitive resource service module 1

Browser Sign In Window, document 2

Customizable Shortcut

Preference, DOM, window 3

Firefox SharePreference, window, database, observerdatabase, stream, network

10

Most Recent Tab Preference, window 2

Open Web Apps Preference, window, database, observer 4

Recall Monkey IOService, favIcon 2

None of the leaks are required for functionality

Accuracy: Capability leak

• No False Positive• May miss some leaks

– Dynamic features• Iterator, generator

– Unsupported JS constructs• for..each, yield, case statement over a

variable

– Unmodeled JS constructs• eval, with

– Latent bugs

20Rezwana Karim

Violation of privilege separation

21Rezwana Karim

26 modules in 19

extensions

Accuracy: Capability usage

• 53 extensions directly use sensitive resources

• Beacon detects 46 out of 53

• Missed 7 are in event-handling code

22Rezwana Karim

Violation of POLA

• Beacon generates 18 warnings, 7 false positive

23

Core module Privilege Severity

file Directory service Moderate

hidden-frame Timer None

tab-browser Errors None

content/content-proxy Chrome Critical

content/loader File Moderate

content/worker Chrome Critical

keyboard/utils Chrome Critical

clipboard Errors None

widget Chrome Critical

windows XPCOM, apiUtils Critical

Rezwana Karim

Violationinstancesare fixed

byMozilla

Related Work

• Information flow analysis of extension– SABRE [Dhawan et al., ACSAC’09]

– VEX [Bhandhakavi et al., Usenix Security‘10]

• Static analysis of JavaScript– Gatekeeper [Guarnieri et al., Usenix Security’09]

– ENCAP [Taly et al., Oakland‘11]

• Study of Chrome extension architecture– Chrome extension analysis [Yan et al., NDSS’12]

24Rezwana Karim

Summary

• Beacon, a system for capability flow analysis of JavaScript modules

• Analyze Jetpack extension development framework– 36 capability leaks in more than 600 modules– 10 overprivileged core modules– Results acknowledged by Mozilla

• Applicable to node.js, Harmony modules

25Rezwana Karim

Thank you

26Rezwana Karim

Questions

Rezwana Karim 27

Sensitive resources usage

Rezwana Karim 28

Capability Usage

• Top 10 XPCOM interfaces

29Rezwana Karim

Suggestion

• Dynamic enforcement of Manifest– Prevent access of unrequested sensitive

resources

• Deep freezing of exports object– Prevent leak through event-handlers

30Rezwana Karim

Template

Entity Type Capability

fileSystemPtr Object File

getFileSystemPtr Function File

Rezwana Karim 31

Proof of concept example: Customize-shortcut

const {Cc, Ci} = require("chrome");

let Preferences = {

branches: {},

.. .

getBranch: function (name) {

let branch = Cc["@mozilla.org/preferences-service;1"]

.getService(Ci.nsIPrefService).getBranch(name);

…

return this. branches [name] = branch;

}, ...

};

exports. Preferences = Preferences;

32

Modular approach

Rezwana Karim 33

• Break down extension into modules

• JavaScript modules– Implement a certain functionality– Self-contained– Isolated; communicate via module interfaces

• Limit vulnerability effect

Capability Usage

• Top 10 core modules

34Rezwana Karim

Datalog relations: points-to analysis

35Rezwana Karim

JavaScript statement processing

36Rezwana Karim

Inference Rules

37Rezwana Karim

Pre-processing(cont’d)• Desugar JS construct

– Destructuring assignment, let, const, lambda function

• Code simplification

38

Code Desugared Code

var {Cc,Ci} = require(“chrome”);

var Cc = require(“chrome”).Cc;var Ci = require(“chrome”).Ci;

Code Simplified Code

let branch = Cc["@mozilla.org/ preferences-service;1”] .getService(Ci.nsIPrefService) .getBranch(name);

let branch = MozPrefService() .getBranch(name);

Rezwana Karim

Capability flow in object hierarchy

39

aa

xx yy

pp zz

ptsTo(va, ha)

ptsTo(vy, hy)

ptsTo(vz, hz)ptsTo(vp, hp)

ptsTo(vx, hx)

heapPtsTo(hy, z, hz)

heapPtsTo(ha, y, hy)

heapPtsTo(hy, p, hp)

var a ={ x : object, y:{ p: fileSystemPtr, z: object }}

isTainted(hp, file)

isTainted(hy, file)

isTainted(ha, file)

Rezwana Karim

store(vy, p, vp)heapPtsTo(ha, x, hx)

Capability flow analysis using Datalog

Statement Example Code Generated Facts

OBJECT LITERAL

a = { } ptsTo(va, ha)

STORE v1.f = v2 store(v1, f, v2)

40Rezwana Karim

Basic Rules

heapPtsTo(H1, F, H2) :- store(V1, F, V2), ptsTo(V1, H1), ptsTo(V2, H2)

Taint Propagation

isTainted(H1, P) :- heapPtsTo(H1, F, H2 ), isTainted(H2 , P)

[Gatekeeper, Guarnieri et al., Usenix Security’09]

Capability flow in object hierarchy

41

aa

xx yy

pp zz

ptsTo(va, ha)

ptsTo(vy, hy)

ptsTo(vz, hz)ptsTo(vp, hp)

ptsTo(vx, hx)

heapPtsTo(hy, z, hz)

heapPtsTo(ha, y, hy)

heapPtsTo(hy, p, hp)

var a ={ x : object, y:{ p: fileSystemPtr, z: object }}

isTainted(hp, file)

isTainted(hy, file)

isTainted(ha, file)

Rezwana Karim

store(vy, p, vp)heapPtsTo(ha, x, hx)

JavaScript statement processingStatement Example Code Generated Facts

OBJECT CONSTRUCTION

v = new v0(v1, v2, ..., vn) ptsTo(v, hfresh) prototypeOf(hfresh, d) :- ptsTo(v0, hmethod), heapPtsTo(hmethod, prototype, d) for z 1...n, ∈generate actual(i, z, vz)callRet(i, v)

FUNCTION CALL v = v0(vthis, v1, v2, ..., vn) ptsTo(v, hfresh) for z 1...n, this, ∈generate actual(i, z, vz)callRet(i, v)

42Rezwana Karim