Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
the most dangerous code in the browser

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, - PowerPoint PPT Presentation

Jan 06, 2023 •175 likes •592 views

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions AdBlock NYTimes Chase Evernote Core browser Web

  1. The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

  2. Modern web experience

  3. Modern web experience

  4. Modern web experience Web apps Extensions AdBlock … NYTimes Chase Evernote Core browser

  5. Web app security • Trust model: malicious code ❌ NYTimes Chase Web APIs Core browser • Apps are isolated according to same-origin policy • Apps are constrained to Web APIs (e.g., DOM) ➤ They cannot access arbitrary files, devices, etc.

  6. Extension security? NYTimes AdBlock Privileged APIs Core browser • Extensions need direct access to app DOMs ➤ They modify app style, content, behavior, … • Extensions need privileged APIs ➤ To fetch/store cross-origin content, to read/modify history and bookmarks, to create new tabs, etc.

  7. Chrome extension security model • Trust model: extensions are benign-but-buggy NYTimes AdBlock • Privilege separate extension: core and content ➤ Protects vulnerable extension from malicious apps • Run extensions with least privilege ➤ Limits damage due to exploits

  8. 
 Least privilege via permission system • Extensions declare necessary permissions 
 { "name": “AdBlock Plus", "version": "2.1.10", ... "permissions": [ "http://*/*", "https://*/*", "contextMenus" ], ... • Users must grant permissions at install time

  9. What does mean? • Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com • AdBlock must be a special case, right? ➤ 71.6% of top 500 extensions need this privilege!

  10. What does mean? • Can read and modify data on any site, regardless of what site you are visiting NYTimes AdBlock chase.com • AdBlock must be a special case, right? ➤ 71.6% of top 500 extensions need this privilege!

  11. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 0.8 100000 0.6 10000 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  12. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  13. It gets worse with popularity 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 # of users 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  14. It gets worse with popularity Removed from Chrome Web Store 1.2 10000000 Fraction that can read and change … Number of users (few days later) 1 1000000 # of users 0.8 100000 0.6 10000 % of n that can read and change all your data… 0.4 1000 0.2 100 0 10 1 51 101 151 201 251 301 351 401 451 Top n extensions

  15. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  16. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  17. Problem with Chrome’s model • Permission requests are meaningless ➤ Descriptions are broad and context-independent • Model encourages principle of most privilege ➤ Extensions don’t auto-update if they need more privs • Threat model is not realistic ➤ Chrome Web Store listed many malicious extensions ➤ Roughly 5% of Google users run malicious extensions

  18. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  19. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  20. New extension-system goals • Meaningful permission system ➤ Safe behavior should not require permission ➤ Permissions requests should be content-specific • Model should encourage least privilege ➤ Permissions should be fine-grained ➤ Incentivize safe extensions • Threat model: extensions may be malicious ➤ Need to also protect user app data from extensions

  21. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  22. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  23. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  24. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  25. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker gmail.com ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  26. 
 
 
 How can we do this? Insight: it is safe for extension to read user data if it can’t arbitrarily disseminate it ✗ ➤ E.g., Google Mail Checker 
 Checker ❌ gmail.com evil.gov ➤ Taint extensions according to what it reads ➤ Confine code to protect user’s privacy

  27. Safely read and modify pages?

  28. Safely read and modify pages? ✗

  29. 
 
 Safely read and modify pages? • Idea: tie extension script with app page ➤ Impose at least same-origin policy on extension 
 NYTimes AdBlock ❌ chase.com • Challenge: read data from page and leak it by injecting content into page’s DOM • Solution: taint extension, write to isolated DOM ➤ Loads due to extension restricted: confined!

  30. 
 
 Safely read and modify pages? • Idea: tie extension script with app page ➤ Impose at least same-origin policy on extension 
 NYTimes AdBlock ❌ chase.com • Challenge: read data from page and leak it by injecting content into page’s DOM • Solution: taint extension, write to isolated DOM ➤ Loads due to extension restricted: confined!

  31. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  32. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  33. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  34. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes

  35. Confinement: safe, too restricting • Challenge: extensions need to “leak” data ➤ E.g., Evernote is used to save URL, page, etc. ➤ Reading DOM taints extension: NYTimes Evernote ❌ evernote.com • Solution: declassification via sharing menu API NYTimes Evernote

Recommend

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

418 views • 37 slides
The Carriage of Dangerous Goods g g by Road Regulations What is ADR? ADR is the acronym

The Carriage of Dangerous Goods g g by Road Regulations What is ADR? ADR is the acronym

The Carriage of Dangerous Goods g g by Road Regulations What is ADR? ADR is the acronym given to The European Agreement Concerning the International Carriage of Dangerous Concerning the International Carriage of Dangerous Goods by Road ,

734 views • 27 slides
Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road

Real-time risk definition in the transport of dangerous goods by road dangerous goods by road Chi Chiara Bersani, Claudio Roncoli B i Cl di R li University of Genova, Department of Communication, Computer and System Science DIST 16145

687 views • 39 slides
Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in

1 EASA European Association of dangerous goods Safety Advisers Dangerous goods make the world go round! truck with UN 1831 SULPHURIC ACID, FUMING 8+6.1 I, in Bolivia: The Dangerous Goods Safety Adviser (DGSA): Key Figure for Safety &

661 views • 34 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

520 views • 7 slides
Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does Standard Tor is easy to block GetTor helps you get Tor Browser GetTor helps you get Tor Browser Tor Browser ships with default

569 views • 24 slides
CGI-Browser-CGI qux.com foo.org geht.net bar.com . p.1/ ?? CGI-Browser-CGI qux.com

CGI-Browser-CGI qux.com foo.org geht.net bar.com . p.1/ ?? CGI-Browser-CGI qux.com

CGI-Browser-CGI qux.com foo.org geht.net bar.com . p.1/ ?? CGI-Browser-CGI qux.com foo.org /cgibin/img.pl /cgibin/img.pl geht.net bar.com /cgibin/img.pl /cgibin/img.pl . p.1/ ?? CGI-Browser-CGI qux.com foo.org

461 views • 28 slides
Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate Code optimizer Code generator Code generator Input: intermediate code + symbol tables In our case, three-address code All variables

719 views • 38 slides
{Sequential Code} {Sequential Code} {Sequential Code} {Sequential Code} {Sequential Code}

{Sequential Code} {Sequential Code} {Sequential Code} {Sequential Code} {Sequential Code}

{Sequential Code} {Sequential Code} {Sequential Code} {Sequential Code} {Sequential Code} {MapReduce Code} for (int i=0; i < $in.size(); ++i) { if ($in.get(i) > $c) $out.add($in.get(i)); } for (int i=0; i <

375 views • 33 slides
RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS One global namespace Often inline JS code embedded directly in HTML Many <script> tags with hidden ordering dependencies Very

368 views • 15 slides
There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous to most dangerous: Teddy Bear Black Bear (U. americanus) Brown or Grizzly Bear (U. Arctos) Chicago Bear (D. Butkus) Two types exist in New Mexico

420 views • 25 slides
Discovery Insure & Gautrain PARTNERSHIPS THAT WORK 1 South African roads are dangerous Our

Discovery Insure & Gautrain PARTNERSHIPS THAT WORK 1 South African roads are dangerous Our

Discovery Insure & Gautrain PARTNERSHIPS THAT WORK 1 South African roads are dangerous Our roads are amongst the most dangerous The costs are too high Road deaths per 100 000 population (2014) South Africa A road accident fatality occurs

442 views • 17 slides
FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter WHO AM I? 2 WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the

634 views • 33 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

453 views • 34 slides
Selection Sort Section 10.2 Code for Selection Sort (cont.) Code for an Array Sort Code for an

Selection Sort Section 10.2 Code for Selection Sort (cont.) Code for an Array Sort Code for an

Selection Sort Section 10.2 Code for Selection Sort (cont.) Code for an Array Sort Code for an Array Sort Code for Selection Sort (cont.) Code for Selection Sort (cont.) Code for Selection Sort (cont.) Bubble Sort Section 10.3 Code for

929 views • 37 slides
in practice source code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code

in practice source code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code

Java byte code in practice source code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code class loader interpreter JIT compiler JVM source code javac

1.6k views • 149 slides
Light-Duty Slides Specifications at a Glance Products in this Model Max. Load Travel Cross

Light-Duty Slides Specifications at a Glance Products in this Model Max. Load Travel Cross

Light-Duty Slides Specifications at a Glance Products in this Model Max. Load Travel Cross Detent Disconnect Page Capacity Section Width category carry loads 2601 75 lbs. Full .50" Hold-in None 13 from 75 to 108 [34 kg]

369 views • 4 slides
Cinematic Drone O S C A R F R A S S E R Cinematic Shots COMPOSITION COVERAGE CONTINUITY

Cinematic Drone O S C A R F R A S S E R Cinematic Shots COMPOSITION COVERAGE CONTINUITY

Cinematic Drone O S C A R F R A S S E R Cinematic Shots COMPOSITION COVERAGE CONTINUITY LIGHT OPTICS STABILIZATION SLOW MOTION EXPOSURE COLOR GRADING Feeling Emotion Wonder Wheel Feeling Emotion GRAMMAR OF THE SHOT A shot is the

1.02k views • 60 slides
Balancing a career in science with raising a family Prof. Ramit Mehr, Bar-Ilan University, Israel

Balancing a career in science with raising a family Prof. Ramit Mehr, Bar-Ilan University, Israel

Balancing a career in science with raising a family Prof. Ramit Mehr, Bar-Ilan University, Israel My personal story Career issues for women scientists and anyone trying to balance career and family life (... and suggestions for solutions)

134 views • 11 slides
Supersaturation for Intersecting Families Shagnik Das University of California, Los Angeles / ETH

Supersaturation for Intersecting Families Shagnik Das University of California, Los Angeles / ETH

Supersaturation for Intersecting Families Shagnik Das University of California, Los Angeles / ETH Z urich April 1, 2014 Joint work with Wenying Gan and Benny Sudakov Supersaturation for Intersecting Families Shagnik Das University of

1.1k views • 92 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No

Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No

Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No longer expiremental since 1.1.0 Can run anywhere where JS runs Websites NodeJS Browser Extensions Can call JS the

255 views • 24 slides
5.1 CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 3554 -

5.1 CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 3554 -

CABINETMAKERS SUPPLY www.cabinetmakerssupply.net fax) 703-421-6333 (ph) 703-421-6331 DRAWER SLIDES 10032 Precision Slides Use for box drawer or pedestal file drawers up to 20 wide. Manufactured by an ISO 9001 registered plant of heat hardened

314 views • 13 slides
C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

Stream Reasoning for Linked Data M. Balduini, J-P Calbimonte, O. Corcho, D. Dell'Aglio, E. Della Valle http://streamreasoning.org/events/sr4ld2014 C-SPARQL: A Continuous Extension of SPARQL Marco Balduini marco.balduini@polimi.it Share,

710 views • 37 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.