SlideShare a Scribd company logo

Chrome extensions threat analysis and countermeasures

Roel Palmaers
Roel Palmaers

This document discusses threats posed by malicious Chrome extensions and proposes countermeasures. It begins by noting that extensions have been used to increase attacks in other browsers. While Chrome has security models like least privilege and isolation, experiments showed extensions can still enable attacks like email spamming, DDoS, and phishing. The document analyzes Chrome's permission and trust models, finding content scripts have too much privilege. It concludes by proposing a strengthened permission model following least privilege more strictly to improve security against malware extensions.

Software
1 of 27
Download to read offline
Chrome  Extensions:  Threat  Analysis   and  Countermeasures   Lei  Liu,  Xinwen  Zhang*,  Guanhua  Yan*,  and  Songqing  Chen   George  Mason  University   Huawei  R&D  Center   Los  Alamos  NaIonal  Laboratory     NDSS’12     *  Does  not  represent  employer’s  opinion  
AOacks  via  Extensions   •  Extension  is  the  vehicle  for  increasing  aOacks     •  BHO/add-­‐on  is  the  one  of  the  techniques  used  by   many  spyware  writers  in  IE.   •  Kida  et  al’05,  CERT’05,  Egele’07,  Li’07,  Guha’11   •  Abusing  of  Firefox  extensions  has  been  widely   recognized  and  studied  in  literature   •  Defcon’09,  Ter-­‐Louw’08,  Dhawan’09,  Bandhakav’10,   Djeric’10,  Guha’11  
AOacks  via  Chrome  Extensions   •  Buggy  Chrome  extensions  have  been   idenIfied  recently     •  27  out  of  100  leak  data   –  hOp://www.adrienneporterfelt.com/blog/?p=226_   •  Malicious  extensions  have  appeared  
Problem  Statement   •  Why  Chrome  extension?   –  Chrome  has  built-­‐in  security  model  for  browser  architecture  and  extension   •  Is  current  Chrome  extension  architecture  good  enough?     –  ParIcularly  with  the  consideraIon  of  malicious  extensions   •  Easy  to  launch  malicious  extensions:     –  It  is  a  difficult  task  to  saniIze  rapidly  increasing  extensions  in  Google  Chrome  Web  Store  with  slow  reviewing   process   –  Users  are  free  to  download/install  extensions  from  many  (known/unknown)  host  servers     –  Strong  incenIve  for  aOackers,  e.g.,     •  harvest  sensiIve  content  in  web  pages   •  Modify  web  search  content     •  Google  takes  acIons  against  malicious  extension  developers   –  singup  fee  for  developers   –  Domain  verificaIon  for  developers     •  Problem:  Can  we  have  a  technical  soluIon?   –  Or  improvement    of  current  permission  model  for  beOer  security  with  malware  extension?    
ContribuIons   •  We  demonstrate  several  aOacks  with  malicious  Chrome   extensions  through  experimental  implementaIon   •  We  do  security  analysis  of  the  permission  model  of   Chrome  extension   –  With  the  assumpIon  of  malicious  extensions   •  We  propose  security  enhanced  extension  permission   model  and  enforcement  mechanism   –  Following  the  principles  of  least  privilege  and  separaIon  of   privilege  in  more  strict  way  
Chrome  Extension  Architecture   Extension   (HTML/Javascript)   NaIve   code   Process  boundary   Process  boundary   installaIon   Extension  gallery   Render   Content   Script  (java  script)   Isolated  World  DOM   JS   Cookies   Localstorage   Web  server  
Chrome  Extension  Security  Model   •  Least  Privilege   –  Pre-­‐defined  permission  set  (e.g.,.  To  access  web  sites,  browser  tab,  bookmarks,  history,  …)   –  Each  extension  declares  permissions  required   –  User  authorizes  permissions  at  installaIon  Ime   •  Privilege  SeparaIon   –  Different  permissions  for  different  components  of  extension   –  Content  script  can  interact  with  web  content,  not  browser  modules   –  Extension  core  has  more  privileges,  but  insulated  from  web  pages   •  Strong  isolaIon   –  Same  origin  policy   •  Each  extension  has  unique  origin   •  Accessing  other  origins  requires  cross-­‐site  permissions   •  Inject  content  script  requires  cross-­‐site  permissions   –  Process-­‐level  isolaIon:  extension  core  runs  in  separated  process  from  renderer  and  browser   –  Within  a  renderer  process,  content  script  runs  in  isolated  world  from  Javascript  of  web  page  
Chrome  Extension  Trust  Model   •  The  main  trust  model  of  Chrome  extension   assumes  trusted  but  buggy  extensions   •  But  malicious  web  pages   •  Therefore  the  security  objecIves  are  mainly  for   restricIng  web  pages  to  access  browser   resources  via  extensions   •  And  confine  the  damage  propagaIon  if  possible  
Experimental  AOacks   •  We  develop  a  malicious  extension  as  a  bot   –   from  Chrome  7  to  the  latest   – does  email  spamming,  DDoS,  and  phishing  aOacks   easily     •  Through  aOacking  web  pages   – Receive  commands  from  bot  master  with  built-­‐in   update  mechanism  of  Chrome  extension   •  No  security  check  for  update    
Email  Spamming   update   site   Browser   Extension   Webmail    server   Upload    update   manipulate   POST   download  update   POST  
Password  Sniffing  
DDoS  AOack  
Security  Analysis     •  Trust  Model:     –  We  assume  browser  kernel  and  pulgins  are   trustworthy   –  Sandbox  mechanism  provided  by  OS  works  well   –  NaIve  code  for  extensions  is  sandboxed   –  Web  apps  are  trusted   •  Threat  model:  malicious  extensions   –  Extension  core   –  Content  scripts  
Cross-­‐site  Forgery  with  Content  Script   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World  DOM   Process  boundary   JS   Cookies   Localstorage   Web  server   •  A  content  script  injected  into  web  page  can   arbitrary  access  the  origin  of  the  page   •  All  user  credenIals  associated  with  the  origin   can  be  included  in  an  HTTP  req   •  Since  the  origin  of  the  content  script  is  usually   not  that  of  the  web  page   –  This  is  a  Cross-­‐site  Forgery  Req   –  The  email  spamming  aOack  leverages  this   •  Default  privileges  of  content  script  are  not  least  
Cross-­‐site  Requests  with  Extension  Core   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World   Process  boundary   Web  server   Content   Script  (java  script)   Isolated  World  Process  boundary   •  Cross-­‐site  reqs  via  content  scripts  through  extension  core   •  The  extension  core  can  file  cross-­‐site  HTTP  reqs  to  mulIple  origins     –  Cross-­‐site  permissions  are  authorized  in  order  to  inject  content  scripts.     •  Default  privileges  of  extension  core  are  not  least   •  No  differenIated  permission  of  extension  core  and  content  script   –  Inject  scripts  vs.  cross-­‐site  reqs  
Cross-­‐site  Requests  with  Content  Scripts   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World   Process  boundary   JS   Cookies   Localstorage   Web  server   DOM   •  Without  cross-­‐site  permission,  a  running  content  script  can   only  make  HTTP  reqs  to  the  origin  of  the  tab  page   •  However,  since  content  script  has  full  privileges  of  DOM,  it   can  file  unlimited  cross-­‐site  HTTP  reqs  to  arbitrary  origin,  e.g.,     –  Insert  iframe     –  Load  img   –  Modify  src  of  DOM  objects   –  With  user  credenIals  included  in  the  req   •  Loading  of  new  DOM  objects  results  in  cross-­‐site  reqs   •  Privilege  to  access  DOM  is  not  least  for  content  script  
UndifferenIated  Permissions   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World   Process  boundary   JS   Cookies   Localstorage   Web  server   DOM   permissions”:  [“hOp://*/ *”  ]   •  An  extension  may  inject  content  script  to  many   origins   –  It  does  not  need  to  file  HTTP  reqs  to  all  origins   –  But  only  to  a  dedicated  one,  e.g.,  a    translaIon  web   service   •  When  an  origin  is  assigned  to  extension,  all   components  get  the  full  privileges   –  Extension  core  can  file  cross-­‐site  reqs  freely   –  Content  script  can  arbitrarily  modify  the  DOM,  and  file   cross-­‐sit  reqs   •  Privilege  separaIon  is  not  fine-­‐grained  enough     19  out  of  30   most  popular   extensions  have   this  type  of  over   privileges  
Security  Enhanced  Chrome  Extensions   •  Micro-­‐privilege  management   •  DifferenIate  DOM  elements  with  sensiIvity  
Micro-­‐privilege  Management   •  More  fine-­‐grained  permission  definiIon  and  enforcement     •  Fine-­‐grained  permission  differenIaIon  for  extension  core  and   content  script   –  Permission  specs  are  separated  from  different  components   •  Least  default  privileges     –  Content  script  cannot  introduce  new  origin  to  DOM   –  no  HTTP  req  to  tab  origin  
Example  Permission  Spec   •  Permissions  for  a  translaIon  extension:    
DifferenIaIng  DOM  Elements   •  To  further  reduce  possible  sensiIve  data  leakage  by  content   script,  DOM  elements  can  be  differenIated  with  sensiIvity   levels   •  A  web  app  developer  can  idenIfy  sensiIve  informaIon  in  a   web  page,  e.g.,     –  High  level  data:  only  can  flow  to  web  origin   –  Medium  level:  may  flow  to  authorized  origins   –  Low  level  (default):  can  flow  to  any  origin   •  An  extension  developer    can  specify  permissions   accordingly:   –  E.g.,  HIGH  for  username/pw,  MEDIUM  for  other  user  info  
ImplementaIon   •  We  have  implemented  the  micro-­‐privilege  management   and  spec.   •  For  DOM  sensiIvity,  we  develop  a  helper  extension   (trusted):     –  To  idenIfy  and  label  sensiIve  DOM  elements   –  Re-­‐write  DOM  element  properIes   •  According  to  configurable  dicIonary     –  Chrome  enforces  permission  check  based  on  extension  manifest     –  Explicitly  mark  sensiIve  info  by  web  app  developer  is  not  pracIcal   right  now    
EvaluaIons  
EvaluaIon   •  We  selected  30  most  popular  extensions  from  Google  extension  gallery   –  24  of  them  have  granted  network  access   –  19  of  them  request  higher  privileges  than  necessary  (hOp://*/*)   •  Our  implementaIon  easily  changes  their  spec  to  reduce  privileges    
EvaluaIon   •  Our  implementaIon  blocks  all  experimental   aOacks  on  the  bot  extension.    
Conclusions   •  Demonstrated  spamming,  phishing,  and  DDoS  aOacks   with  implemented  Chrome  extensions   •  Analyzed  the  permissions  model  that  causes  these   problems   •  Proposed  security  enhanced  permission  model  and   enforcement  for  Chrome  extension  architecture     –  Micro-­‐privileged  permission  management  and  spec   –  DifferenIate  content  script’s  permission  with  DOM   sensiIvity  levels  
Thank  You!   Q&A  

Recommended

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
Server-Side Programming Primer
Server-Side Programming PrimerServer-Side Programming Primer
Server-Side Programming Primer
Ivano Malavolta
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
Getting Started with WebSockets and Server-Sent Events
Getting Started with WebSockets and Server-Sent EventsGetting Started with WebSockets and Server-Sent Events
Getting Started with WebSockets and Server-Sent EventsArun Gupta
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 

Recommended

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
Server-Side Programming Primer
Server-Side Programming PrimerServer-Side Programming Primer
Server-Side Programming Primer
Ivano Malavolta
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
Getting Started with WebSockets and Server-Sent Events
Getting Started with WebSockets and Server-Sent EventsGetting Started with WebSockets and Server-Sent Events
Getting Started with WebSockets and Server-Sent EventsArun Gupta
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_labMustafa Jarrar
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)webhostingguy
 
S903 palla
S903 pallaS903 palla
S903 palla
Andrew Khoury
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platform
Luis Cabaceira
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
Paolo Dolci
 
Analysis of Google Page Speed Insight
Analysis of Google Page Speed InsightAnalysis of Google Page Speed Insight
Analysis of Google Page Speed Insight
Sarvesh Sonawane
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Sam Bowne
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Apache ActiveMQ and Apache ServiceMix
Apache ActiveMQ and Apache ServiceMixApache ActiveMQ and Apache ServiceMix
Apache ActiveMQ and Apache ServiceMixBruce Snyder
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
02 intro
02 intro02 intro
02 intro
babak mehrabi
 
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService FunctionalityEWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
Rob Tweed
 
Introduction to Messaging 3.7
Introduction to Messaging 3.7Introduction to Messaging 3.7
Introduction to Messaging 3.7
StephenKardian
 
QEWD.js: Have your Node.js Cake and Eat It Too
QEWD.js: Have your Node.js Cake and Eat It TooQEWD.js: Have your Node.js Cake and Eat It Too
QEWD.js: Have your Node.js Cake and Eat It Too
Rob Tweed
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Web Servers - How They Work
Web Servers - How They WorkWeb Servers - How They Work
Web Servers - How They Work
Brian Gallagher
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
El arte clásico
El arte clásicoEl arte clásico
El arte clásico
Marcos Salas
 

More Related Content

What's hot

E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_labMustafa Jarrar
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)webhostingguy
 
S903 palla
S903 pallaS903 palla
S903 palla
Andrew Khoury
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platform
Luis Cabaceira
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
Paolo Dolci
 
Analysis of Google Page Speed Insight
Analysis of Google Page Speed InsightAnalysis of Google Page Speed Insight
Analysis of Google Page Speed Insight
Sarvesh Sonawane
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Sam Bowne
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Apache ActiveMQ and Apache ServiceMix
Apache ActiveMQ and Apache ServiceMixApache ActiveMQ and Apache ServiceMix
Apache ActiveMQ and Apache ServiceMixBruce Snyder
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
02 intro
02 intro02 intro
02 intro
babak mehrabi
 
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService FunctionalityEWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
Rob Tweed
 
Introduction to Messaging 3.7
Introduction to Messaging 3.7Introduction to Messaging 3.7
Introduction to Messaging 3.7
StephenKardian
 
QEWD.js: Have your Node.js Cake and Eat It Too
QEWD.js: Have your Node.js Cake and Eat It TooQEWD.js: Have your Node.js Cake and Eat It Too
QEWD.js: Have your Node.js Cake and Eat It Too
Rob Tweed
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Web Servers - How They Work
Web Servers - How They WorkWeb Servers - How They Work
Web Servers - How They Work
Brian Gallagher
 

What's hot (20)

E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_lab
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)
 
S903 palla
S903 pallaS903 palla
S903 palla
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platform
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
 
Analysis of Google Page Speed Insight
Analysis of Google Page Speed InsightAnalysis of Google Page Speed Insight
Analysis of Google Page Speed Insight
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
 
Php File Upload
Php File UploadPhp File Upload
Php File Upload
 
Apache ActiveMQ and Apache ServiceMix
Apache ActiveMQ and Apache ServiceMixApache ActiveMQ and Apache ServiceMix
Apache ActiveMQ and Apache ServiceMix
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
02 intro
02 intro02 intro
02 intro
 
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService FunctionalityEWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService Functionality
 
Introduction to Messaging 3.7
Introduction to Messaging 3.7Introduction to Messaging 3.7
Introduction to Messaging 3.7
 
QEWD.js: Have your Node.js Cake and Eat It Too
QEWD.js: Have your Node.js Cake and Eat It TooQEWD.js: Have your Node.js Cake and Eat It Too
QEWD.js: Have your Node.js Cake and Eat It Too
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
Web Servers - How They Work
Web Servers - How They WorkWeb Servers - How They Work
Web Servers - How They Work
 

Viewers also liked

Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
El arte clásico
El arte clásicoEl arte clásico
El arte clásico
Marcos Salas
 
Build your own Chrome Extension with AngularJS
Build your own Chrome Extension with AngularJSBuild your own Chrome Extension with AngularJS
Build your own Chrome Extension with AngularJS
flrent
 
Chrome extension development
Chrome extension developmentChrome extension development
Chrome extension development
Michal Haták
 
Chrome extension development
Chrome extension developmentChrome extension development
Chrome extension development
Mārtiņš Balodis
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJS
Ben Lau
 

Viewers also liked (6)

Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extension
 
El arte clásico
El arte clásicoEl arte clásico
El arte clásico
 
Build your own Chrome Extension with AngularJS
Build your own Chrome Extension with AngularJSBuild your own Chrome Extension with AngularJS
Build your own Chrome Extension with AngularJS
 
Chrome extension development
Chrome extension developmentChrome extension development
Chrome extension development
 
Chrome extension development
Chrome extension developmentChrome extension development
Chrome extension development
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJS
 

Similar to Chrome extensions threat analysis and countermeasures

Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Deep Dive on Lambda@Edge - August 2017 AWS Online Tech Talks
Deep Dive on Lambda@Edge - August 2017 AWS Online Tech TalksDeep Dive on Lambda@Edge - August 2017 AWS Online Tech Talks
Deep Dive on Lambda@Edge - August 2017 AWS Online Tech Talks
Amazon Web Services
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming Curriculum
Steven Miller
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
Piyush Pattanayak
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and Architecture
Tyto Software
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
GeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGGDBologna
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPress
Danilo Ercoli
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
Rinaldi Rampen
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
Nathan Van Gheem
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
Enterprise WordPress - Performance, Scalability and Redundancy
Enterprise WordPress - Performance, Scalability and RedundancyEnterprise WordPress - Performance, Scalability and Redundancy
Enterprise WordPress - Performance, Scalability and Redundancy
John Giaconia
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 

Similar to Chrome extensions threat analysis and countermeasures (20)

Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Deep Dive on Lambda@Edge - August 2017 AWS Online Tech Talks
Deep Dive on Lambda@Edge - August 2017 AWS Online Tech TalksDeep Dive on Lambda@Edge - August 2017 AWS Online Tech Talks
Deep Dive on Lambda@Edge - August 2017 AWS Online Tech Talks
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming Curriculum
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and Architecture
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
GeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPress
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPress
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Flashack
FlashackFlashack
Flashack
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
Enterprise WordPress - Performance, Scalability and Redundancy
Enterprise WordPress - Performance, Scalability and RedundancyEnterprise WordPress - Performance, Scalability and Redundancy
Enterprise WordPress - Performance, Scalability and Redundancy
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 

More from Roel Palmaers

Ddos extortion campaigns
Ddos extortion campaignsDdos extortion campaigns
Ddos extortion campaigns
Roel Palmaers
 
Hoe ontwerp ik een agile organisatie
Hoe ontwerp ik een agile organisatieHoe ontwerp ik een agile organisatie
Hoe ontwerp ik een agile organisatie
Roel Palmaers
 
Evaluating law enforcement_bradford_9_24
Evaluating law enforcement_bradford_9_24Evaluating law enforcement_bradford_9_24
Evaluating law enforcement_bradford_9_24
Roel Palmaers
 
The effectiveness of policing cybercrime
The effectiveness of policing cybercrimeThe effectiveness of policing cybercrime
The effectiveness of policing cybercrime
Roel Palmaers
 
Scams and-fraud-presentation
Scams and-fraud-presentationScams and-fraud-presentation
Scams and-fraud-presentation
Roel Palmaers
 
Ipv6 evolution
Ipv6 evolutionIpv6 evolution
Ipv6 evolution
Roel Palmaers
 
Irish travelers presentatie
Irish travelers presentatieIrish travelers presentatie
Irish travelers presentatie
Roel Palmaers
 
Food for thought_29 feb 2016
Food for thought_29 feb 2016Food for thought_29 feb 2016
Food for thought_29 feb 2016
Roel Palmaers
 
Straathoekwerk en politie
Straathoekwerk en politieStraathoekwerk en politie
Straathoekwerk en politie
Roel Palmaers
 
Cahiers politiestudies presentatie rva 03 12 2009
Cahiers politiestudies presentatie rva 03 12 2009Cahiers politiestudies presentatie rva 03 12 2009
Cahiers politiestudies presentatie rva 03 12 2009
Roel Palmaers
 
Financiële risico’s participatiewet
Financiële risico’s participatiewetFinanciële risico’s participatiewet
Financiële risico’s participatiewet
Roel Palmaers
 
Afval=grondstof
Afval=grondstofAfval=grondstof
Afval=grondstof
Roel Palmaers
 
Electronics reference sheet
Electronics reference sheetElectronics reference sheet
Electronics reference sheet
Roel Palmaers
 
Digging into google
Digging into googleDigging into google
Digging into google
Roel Palmaers
 
Google cheat-sheet-nederlands
Google cheat-sheet-nederlandsGoogle cheat-sheet-nederlands
Google cheat-sheet-nederlands
Roel Palmaers
 
Google cheat-sheet-english
Google cheat-sheet-englishGoogle cheat-sheet-english
Google cheat-sheet-english
Roel Palmaers
 
Working with facebook graph presentation
Working with facebook graph presentationWorking with facebook graph presentation
Working with facebook graph presentation
Roel Palmaers
 
Ips pearls in policing factsheet en
Ips pearls in policing factsheet enIps pearls in policing factsheet en
Ips pearls in policing factsheet en
Roel Palmaers
 
Financiële problematiek en de impact daarvan
Financiële problematiek en de impact daarvanFinanciële problematiek en de impact daarvan
Financiële problematiek en de impact daarvan
Roel Palmaers
 
Een goede nacht nachtarbeid
Een goede nacht nachtarbeidEen goede nacht nachtarbeid
Een goede nacht nachtarbeid
Roel Palmaers
 

More from Roel Palmaers (20)

Ddos extortion campaigns
Ddos extortion campaignsDdos extortion campaigns
Ddos extortion campaigns
 
Hoe ontwerp ik een agile organisatie
Hoe ontwerp ik een agile organisatieHoe ontwerp ik een agile organisatie
Hoe ontwerp ik een agile organisatie
 
Evaluating law enforcement_bradford_9_24
Evaluating law enforcement_bradford_9_24Evaluating law enforcement_bradford_9_24
Evaluating law enforcement_bradford_9_24
 
The effectiveness of policing cybercrime
The effectiveness of policing cybercrimeThe effectiveness of policing cybercrime
The effectiveness of policing cybercrime
 
Scams and-fraud-presentation
Scams and-fraud-presentationScams and-fraud-presentation
Scams and-fraud-presentation
 
Ipv6 evolution
Ipv6 evolutionIpv6 evolution
Ipv6 evolution
 
Irish travelers presentatie
Irish travelers presentatieIrish travelers presentatie
Irish travelers presentatie
 
Food for thought_29 feb 2016
Food for thought_29 feb 2016Food for thought_29 feb 2016
Food for thought_29 feb 2016
 
Straathoekwerk en politie
Straathoekwerk en politieStraathoekwerk en politie
Straathoekwerk en politie
 
Cahiers politiestudies presentatie rva 03 12 2009
Cahiers politiestudies presentatie rva 03 12 2009Cahiers politiestudies presentatie rva 03 12 2009
Cahiers politiestudies presentatie rva 03 12 2009
 
Financiële risico’s participatiewet
Financiële risico’s participatiewetFinanciële risico’s participatiewet
Financiële risico’s participatiewet
 
Afval=grondstof
Afval=grondstofAfval=grondstof
Afval=grondstof
 
Electronics reference sheet
Electronics reference sheetElectronics reference sheet
Electronics reference sheet
 
Digging into google
Digging into googleDigging into google
Digging into google
 
Google cheat-sheet-nederlands
Google cheat-sheet-nederlandsGoogle cheat-sheet-nederlands
Google cheat-sheet-nederlands
 
Google cheat-sheet-english
Google cheat-sheet-englishGoogle cheat-sheet-english
Google cheat-sheet-english
 
Working with facebook graph presentation
Working with facebook graph presentationWorking with facebook graph presentation
Working with facebook graph presentation
 
Ips pearls in policing factsheet en
Ips pearls in policing factsheet enIps pearls in policing factsheet en
Ips pearls in policing factsheet en
 
Financiële problematiek en de impact daarvan
Financiële problematiek en de impact daarvanFinanciële problematiek en de impact daarvan
Financiële problematiek en de impact daarvan
 
Een goede nacht nachtarbeid
Een goede nacht nachtarbeidEen goede nacht nachtarbeid
Een goede nacht nachtarbeid
 

Recently uploaded

GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 

Recently uploaded (20)

GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 

Chrome extensions threat analysis and countermeasures

  • 1. Chrome  Extensions:  Threat  Analysis   and  Countermeasures   Lei  Liu,  Xinwen  Zhang*,  Guanhua  Yan*,  and  Songqing  Chen   George  Mason  University   Huawei  R&D  Center   Los  Alamos  NaIonal  Laboratory     NDSS’12     *  Does  not  represent  employer’s  opinion  
  • 2. AOacks  via  Extensions   •  Extension  is  the  vehicle  for  increasing  aOacks     •  BHO/add-­‐on  is  the  one  of  the  techniques  used  by   many  spyware  writers  in  IE.   •  Kida  et  al’05,  CERT’05,  Egele’07,  Li’07,  Guha’11   •  Abusing  of  Firefox  extensions  has  been  widely   recognized  and  studied  in  literature   •  Defcon’09,  Ter-­‐Louw’08,  Dhawan’09,  Bandhakav’10,   Djeric’10,  Guha’11  
  • 3. AOacks  via  Chrome  Extensions   •  Buggy  Chrome  extensions  have  been   idenIfied  recently     •  27  out  of  100  leak  data   –  hOp://www.adrienneporterfelt.com/blog/?p=226_   •  Malicious  extensions  have  appeared  
  • 4. Problem  Statement   •  Why  Chrome  extension?   –  Chrome  has  built-­‐in  security  model  for  browser  architecture  and  extension   •  Is  current  Chrome  extension  architecture  good  enough?     –  ParIcularly  with  the  consideraIon  of  malicious  extensions   •  Easy  to  launch  malicious  extensions:     –  It  is  a  difficult  task  to  saniIze  rapidly  increasing  extensions  in  Google  Chrome  Web  Store  with  slow  reviewing   process   –  Users  are  free  to  download/install  extensions  from  many  (known/unknown)  host  servers     –  Strong  incenIve  for  aOackers,  e.g.,     •  harvest  sensiIve  content  in  web  pages   •  Modify  web  search  content     •  Google  takes  acIons  against  malicious  extension  developers   –  singup  fee  for  developers   –  Domain  verificaIon  for  developers     •  Problem:  Can  we  have  a  technical  soluIon?   –  Or  improvement    of  current  permission  model  for  beOer  security  with  malware  extension?    
  • 5. ContribuIons   •  We  demonstrate  several  aOacks  with  malicious  Chrome   extensions  through  experimental  implementaIon   •  We  do  security  analysis  of  the  permission  model  of   Chrome  extension   –  With  the  assumpIon  of  malicious  extensions   •  We  propose  security  enhanced  extension  permission   model  and  enforcement  mechanism   –  Following  the  principles  of  least  privilege  and  separaIon  of   privilege  in  more  strict  way  
  • 6. Chrome  Extension  Architecture   Extension   (HTML/Javascript)   NaIve   code   Process  boundary   Process  boundary   installaIon   Extension  gallery   Render   Content   Script  (java  script)   Isolated  World  DOM   JS   Cookies   Localstorage   Web  server  
  • 7. Chrome  Extension  Security  Model   •  Least  Privilege   –  Pre-­‐defined  permission  set  (e.g.,.  To  access  web  sites,  browser  tab,  bookmarks,  history,  …)   –  Each  extension  declares  permissions  required   –  User  authorizes  permissions  at  installaIon  Ime   •  Privilege  SeparaIon   –  Different  permissions  for  different  components  of  extension   –  Content  script  can  interact  with  web  content,  not  browser  modules   –  Extension  core  has  more  privileges,  but  insulated  from  web  pages   •  Strong  isolaIon   –  Same  origin  policy   •  Each  extension  has  unique  origin   •  Accessing  other  origins  requires  cross-­‐site  permissions   •  Inject  content  script  requires  cross-­‐site  permissions   –  Process-­‐level  isolaIon:  extension  core  runs  in  separated  process  from  renderer  and  browser   –  Within  a  renderer  process,  content  script  runs  in  isolated  world  from  Javascript  of  web  page  
  • 8. Chrome  Extension  Trust  Model   •  The  main  trust  model  of  Chrome  extension   assumes  trusted  but  buggy  extensions   •  But  malicious  web  pages   •  Therefore  the  security  objecIves  are  mainly  for   restricIng  web  pages  to  access  browser   resources  via  extensions   •  And  confine  the  damage  propagaIon  if  possible  
  • 9. Experimental  AOacks   •  We  develop  a  malicious  extension  as  a  bot   –   from  Chrome  7  to  the  latest   – does  email  spamming,  DDoS,  and  phishing  aOacks   easily     •  Through  aOacking  web  pages   – Receive  commands  from  bot  master  with  built-­‐in   update  mechanism  of  Chrome  extension   •  No  security  check  for  update    
  • 10. Email  Spamming   update   site   Browser   Extension   Webmail    server   Upload    update   manipulate   POST   download  update   POST  
  • 13. Security  Analysis     •  Trust  Model:     –  We  assume  browser  kernel  and  pulgins  are   trustworthy   –  Sandbox  mechanism  provided  by  OS  works  well   –  NaIve  code  for  extensions  is  sandboxed   –  Web  apps  are  trusted   •  Threat  model:  malicious  extensions   –  Extension  core   –  Content  scripts  
  • 14. Cross-­‐site  Forgery  with  Content  Script   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World  DOM   Process  boundary   JS   Cookies   Localstorage   Web  server   •  A  content  script  injected  into  web  page  can   arbitrary  access  the  origin  of  the  page   •  All  user  credenIals  associated  with  the  origin   can  be  included  in  an  HTTP  req   •  Since  the  origin  of  the  content  script  is  usually   not  that  of  the  web  page   –  This  is  a  Cross-­‐site  Forgery  Req   –  The  email  spamming  aOack  leverages  this   •  Default  privileges  of  content  script  are  not  least  
  • 15. Cross-­‐site  Requests  with  Extension  Core   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World   Process  boundary   Web  server   Content   Script  (java  script)   Isolated  World  Process  boundary   •  Cross-­‐site  reqs  via  content  scripts  through  extension  core   •  The  extension  core  can  file  cross-­‐site  HTTP  reqs  to  mulIple  origins     –  Cross-­‐site  permissions  are  authorized  in  order  to  inject  content  scripts.     •  Default  privileges  of  extension  core  are  not  least   •  No  differenIated  permission  of  extension  core  and  content  script   –  Inject  scripts  vs.  cross-­‐site  reqs  
  • 16. Cross-­‐site  Requests  with  Content  Scripts   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World   Process  boundary   JS   Cookies   Localstorage   Web  server   DOM   •  Without  cross-­‐site  permission,  a  running  content  script  can   only  make  HTTP  reqs  to  the  origin  of  the  tab  page   •  However,  since  content  script  has  full  privileges  of  DOM,  it   can  file  unlimited  cross-­‐site  HTTP  reqs  to  arbitrary  origin,  e.g.,     –  Insert  iframe     –  Load  img   –  Modify  src  of  DOM  objects   –  With  user  credenIals  included  in  the  req   •  Loading  of  new  DOM  objects  results  in  cross-­‐site  reqs   •  Privilege  to  access  DOM  is  not  least  for  content  script  
  • 17. UndifferenIated  Permissions   Extension   (HTML/Javascript)   Render   Content   Script  (java  script)   Isolated  World   Process  boundary   JS   Cookies   Localstorage   Web  server   DOM   permissions”:  [“hOp://*/ *”  ]   •  An  extension  may  inject  content  script  to  many   origins   –  It  does  not  need  to  file  HTTP  reqs  to  all  origins   –  But  only  to  a  dedicated  one,  e.g.,  a    translaIon  web   service   •  When  an  origin  is  assigned  to  extension,  all   components  get  the  full  privileges   –  Extension  core  can  file  cross-­‐site  reqs  freely   –  Content  script  can  arbitrarily  modify  the  DOM,  and  file   cross-­‐sit  reqs   •  Privilege  separaIon  is  not  fine-­‐grained  enough     19  out  of  30   most  popular   extensions  have   this  type  of  over   privileges  
  • 18. Security  Enhanced  Chrome  Extensions   •  Micro-­‐privilege  management   •  DifferenIate  DOM  elements  with  sensiIvity  
  • 19. Micro-­‐privilege  Management   •  More  fine-­‐grained  permission  definiIon  and  enforcement     •  Fine-­‐grained  permission  differenIaIon  for  extension  core  and   content  script   –  Permission  specs  are  separated  from  different  components   •  Least  default  privileges     –  Content  script  cannot  introduce  new  origin  to  DOM   –  no  HTTP  req  to  tab  origin  
  • 20. Example  Permission  Spec   •  Permissions  for  a  translaIon  extension:    
  • 21. DifferenIaIng  DOM  Elements   •  To  further  reduce  possible  sensiIve  data  leakage  by  content   script,  DOM  elements  can  be  differenIated  with  sensiIvity   levels   •  A  web  app  developer  can  idenIfy  sensiIve  informaIon  in  a   web  page,  e.g.,     –  High  level  data:  only  can  flow  to  web  origin   –  Medium  level:  may  flow  to  authorized  origins   –  Low  level  (default):  can  flow  to  any  origin   •  An  extension  developer    can  specify  permissions   accordingly:   –  E.g.,  HIGH  for  username/pw,  MEDIUM  for  other  user  info  
  • 22. ImplementaIon   •  We  have  implemented  the  micro-­‐privilege  management   and  spec.   •  For  DOM  sensiIvity,  we  develop  a  helper  extension   (trusted):     –  To  idenIfy  and  label  sensiIve  DOM  elements   –  Re-­‐write  DOM  element  properIes   •  According  to  configurable  dicIonary     –  Chrome  enforces  permission  check  based  on  extension  manifest     –  Explicitly  mark  sensiIve  info  by  web  app  developer  is  not  pracIcal   right  now    
  • 24. EvaluaIon   •  We  selected  30  most  popular  extensions  from  Google  extension  gallery   –  24  of  them  have  granted  network  access   –  19  of  them  request  higher  privileges  than  necessary  (hOp://*/*)   •  Our  implementaIon  easily  changes  their  spec  to  reduce  privileges    
  • 25. EvaluaIon   •  Our  implementaIon  blocks  all  experimental   aOacks  on  the  bot  extension.    
  • 26. Conclusions   •  Demonstrated  spamming,  phishing,  and  DDoS  aOacks   with  implemented  Chrome  extensions   •  Analyzed  the  permissions  model  that  causes  these   problems   •  Proposed  security  enhanced  permission  model  and   enforcement  for  Chrome  extension  architecture     –  Micro-­‐privileged  permission  management  and  spec   –  DifferenIate  content  script’s  permission  with  DOM   sensiIvity  levels