browser extensions computer security csc...
TRANSCRIPT
![Page 2: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/2.jpg)
2
![Page 3: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/3.jpg)
3
![Page 4: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/4.jpg)
Compromising the browser
• Drive-by downloads
Browser Extensions
![Page 5: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/5.jpg)
Compromising the browser
ExtensionsMalware
![Page 6: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/6.jpg)
• HTML + JavaScript• Modify and enhance the functionality of the browser• Have access to a privileged API
Browser extensions
![Page 7: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/7.jpg)
Adblock Plus
• Over 50 million users!
![Page 8: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/8.jpg)
![Page 9: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/9.jpg)
Goal
![Page 10: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/10.jpg)
![Page 11: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/11.jpg)
• Inject advertisements• Keylogger (only in the visited page)• Affiliate fraud• Steal credentials
What can a malicious extension do?
Anything malicious that you can do with JavaScript having access to the visited page, the web requests, the browser’s cookies
![Page 12: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/12.jpg)
Approach
• Install extension in Chrome inside a VM• Visit a few pages• Monitor what the extension is doing• Classify the extension
![Page 13: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/13.jpg)
• How to trigger malicious code?– What content should the pages contain?– Which pages should we visit?
• How to detect maliciousness?
Challenges
![Page 14: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/14.jpg)
Triggering malicious behavior
• Find the right content– HoneyPage
![Page 15: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/15.jpg)
HoneyPage
<html>
</html>
document.getElementById(“fb_newsfeed”)
<div id=“fb_newsfeed”></div>
![Page 16: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/16.jpg)
Triggering malicious behavior
• Find the right content– HoneyPage
• Visit the right page– URL extraction– Event handler fuzzing
![Page 17: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/17.jpg)
Event handler fuzzing
• Extensions can intercept network events• Triggering the event handlers is possible!
• Pretend to visit Alexa top 1 million domains• Point to a HoneyPage• Takes <10 sec on average
![Page 18: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/18.jpg)
Detecting malicious behavior
• In JavaScript– Extension API– Interaction with visited pages
• In the network• In injected code
![Page 19: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/19.jpg)
Malicious behavior heuristics
• Prevents extension uninstall• Steals email/password from form• Contains keylogging functionality• Manipulates security-related HTTP headers• Uninstalls extensions
![Page 20: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/20.jpg)
Suspicious behavior heuristics
• Injects dynamic JavaScript• Evals with input >128 chars long• Produces HTTP 4xx errors• Performs requests to non-existent domains
![Page 21: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/21.jpg)
Results
• 47,940 extensions from Chrome Web Store• 392 extensions from Anubis
Analysis result Count
Benign 43,490
Suspicious 4,712
Malicious 130
![Page 22: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/22.jpg)
![Page 23: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/23.jpg)
![Page 24: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/24.jpg)
Uninstall all other extensions
![Page 25: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/25.jpg)
Form credentials stealing
![Page 26: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/26.jpg)
Prevent uninstallation
![Page 27: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/27.jpg)
Prevent uninstallation
![Page 28: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/28.jpg)
Manipulate HTTP headers
![Page 29: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/29.jpg)
Recommendations
• Manipulating configuration pages e.g., chrome://extensions
• Uninstalling extensions• Removing security-related HTTP headers• Hooking keyboard events• Local inclusion of static files instead of dynamic
JavaScript inclusions
HoneyPages are now part of Google’s extension analysis system
![Page 30: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/30.jpg)
Limitations
• Dynamic analysis system• Targeted attacks (location, time)• Multistep queries of DOM elements in HoneyPages• Evasions against HoneyPages
![Page 31: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/31.jpg)
What’s out there?
![Page 32: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/32.jpg)
![Page 33: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/33.jpg)
Experiments
Dataset Source Sample Size
Client DOM reports Client-side scan via Google properties
102,562,842
Unique extensions
Ad injection extensions
Dynamic evaluation via WebEval, Hulk
> 1,000,000
50,870
![Page 34: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/34.jpg)
Prevalence of ad injection
![Page 35: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/35.jpg)
5.5% of daily visitors
![Page 36: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/36.jpg)
• Analysis system for browser extensions• Observed the impact of client-side modifications from a
big website• Understanding what is really happening on users is
hard!
Conclusion
![Page 37: Browser Extensions Computer Security CSC 405kapravelos.com/teaching/csc405-s18/lectures/10-hulk.pdf · Adblock Plus • Over 50 million users! Goal • Inject advertisements • Keylogger](https://reader034.vdocuments.mx/reader034/viewer/2022042300/5ecafcc3e7aa29671b3b2b7d/html5/thumbnails/37.jpg)
Your Security Zen
CSS Keylogger
Utilizing CSS attribute selectors, one can request resources from an external server under the premise of
loading a background-image.
source: https://github.com/maxchehab/CSS-Keylogging