Aurore Fass
July 29, 2022 at 11:00 AM on Zoom / Soda Hall
DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale
Abstract: Browser extensions are popular to enhance user browsing experience. By design, they have access to security- and privacy-critical APIs to perform tasks that web pages cannot traditionally do. Even though web pages and extensions are isolated, they can communicate through messages. In practice, a web page under the control of an attacker can send malicious payloads to a vulnerable extension, tailored to exploit its elevated privileges, leading to, e.g., arbitrary code execution or sensitive user data exfiltration. In this talk, I will present our system DoubleX (ACM CCS 2021) to detect security and privacy threats in vulnerable extensions. DoubleX defines an Extension Dependence Graph (EDG), which abstracts extension code with control & data flows and pointer analysis, and models message interaction within and outside of an extension. This graph representation enables us to track and detect suspicious data flows between an attacker and sensitive APIs in extensions. On the 155k Chrome extensions analyzed, DoubleX has both high precision (89%) and recall (93%). Overall, we could exploit 184 extensions under our threat model (2021), 87% of which we found to be already vulnerable in 2020. We hope that our work will increase the awareness of well-intentioned developers toward unsafe programming practices leading to security and privacy issues. Paper: https://swag.cispa.saarland/papers/fass2021doublex.pdf
Bio: Aurore Fass is a Visiting Assistant Professor of Computer Science at Stanford University (U.S.) and a Research Group Leader at CISPA (Germany). Aurore got her PhD from CISPA & Saarland University in 2021, jointly supervised by Michael Backes and Ben Stock. Her PhD thesis revolves around studying JavaScript security through static analysis. Aurore's research focuses on Web Security & Privacy, Web Measurements, and Machine Learning. Specifically, she is interested in detecting malware & vulnerabilities on the Web and collecting data to better understand and improve user security and privacy.