JavaScript is a flexible, dynamic scripting language that has become the
"lingua franca" of the web. Modern web browsers support JavaScript
together with the richness of Document Object Model (DOM) to enhance
user experience. But the complex nature of the browser, the evolving
nature of the web itself, the reflective features of JavaScript and the
abundance of dynamic content offers ways to subvert the built in
security mechanisms.
The increasing popularity of JavaScript and advent of Web2.0 results in
a setting where data and code from mutually distrusting sites can
interact programmatically in a single page at the browser. Even though
browsers enforce the "same-origin" policy for JavaScript code execution,
the presence of improperly constrained untrusted code (in the form of
third-party libraries, ads or widgets) can lead to loss of
confidentiality or integrity or both for the unsuspecting client.
Further, the use of JavaScript's reflective constructs and un-sanitized
inputs to web pages can lead to cross-site scripting attacks. Modern web
browsers also support an architecture that lets third-party extensions
(potentially untrusted) enhance the core functionality of the browser,
the look and feel and help render rich web content. Extensions are
widely available for commodity browsers as plug-ins, browser helper
objects (BHOs) and JavaScript-based browser extensions (JSEs).
In this talk, we focus our attention towards the potential security
threats arising from the use of JSEs. To enable a rich set of
functionalities, browsers typically execute JSEs with elevated
privileges. Unlike JavaScript code in a web application, code in a JSE
is not constrained by the "same-origin" policy. Malicious JSEs can
misuse these privileges to compromise confidentiality and integrity,
e.g., by stealing sensitive information, such as cookies and saved
passwords, or executing arbitrary code on the host system. Even if a JSE
is not overtly malicious, vulnerabilities in the JSE and the browser may
allow a remote attacker to compromise browser security.
We present Sabre, a system that uses in-browser information-flow
tracking to analyze JSEs and further discuss the techniques used to
implement information flow tracking and some heuristics used to achieve
precision. We implemented Sabre by modifying the Firefox browser and
evaluated it using both malicious JSEs as well as benign ones that
contained exploitable vulnerabilities. Our experiments show that Sabre
can precisely identify potential information flow violations by JSEs.
