Post on 27-Sep-2019
Intercepting Suspicious ChromeExtension Actions
Michael Cypher
Department of ComputingImperial College London
June 26 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 1 31
Chrome BrowserUser Usage
Most popular desktop browser (62) and browser in general (52) and isused to execute sensitive web applications
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 2 31
Chrome BrowserMulti-process Architecture
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 3 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right
Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Chrome BrowserUser Usage
Most popular desktop browser (62) and browser in general (52) and isused to execute sensitive web applications
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 2 31
Chrome BrowserMulti-process Architecture
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 3 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right
Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Chrome BrowserMulti-process Architecture
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 3 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right
Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right
Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Chrome Extensions
The same-origin policy prevents attackers from executing arbitrary code onweb-pages right Not if theyrsquore extensions
Extensions
can execute content scripts on pages (if granted permission by users)
have access powerful Chrome extension APIs
are assumed to be benign-but-buggy and not malicious
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 4 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Extension System ArchitectureSecurity Model
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 5 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Malicious Extensions
Permission model does not protect users from malicious extensions
Malicious extensions may provide useful functionality
Content scripts can carry out attacks using standard Web APIs
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 6 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Malicious ExtensionsThreats
Several threats are widespread on Chrome Web Store
1 Facebook hijacking present in 4809 extensions (2012 - 2015)
2 Ad Injection present in 3496 extensions
3 User Tracking
Google automatically analyzes extensions for malice in sandboxes beforepublishing them but provides no guarantees
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 7 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Project Goals
1 Protect users from malicious extensions and provide securityguarantees
2 Break minimal benign web applications and extensions
3 Not incur a significant performance overhead
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 8 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Intercepting Suspicious Chrome Extension Actions
Our approach Analyze extension behaviour at run-time and askusers to allow or prevent suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 9 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 10 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions
Focus on content script operations and add permissions aroundstandard Web APIs that harm users
EventTargetclick()
NodeappendChild() (45 of malware)
XMLHttpRequestsend() (52 of malware)
Filter out benign events or operations on elements not attached to DOM
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 11 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious ActionsConfiguring Suspicious Actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 12 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 13 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Detecting Extension ActionsAlternatives
Neither approach provides security guarantees
Measuring the ordering and frequency of events
Transforming content script JavaScript to taint methods
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 14 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Detecting Extension ActionsUsing the Isolated World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 15 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Script InjectionExecuting Scripts in the Main World
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 16 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Intercepting Suspicious Chrome Extension ActionsProject Challenges
Project challenges
What extension actions do we consider suspicious
Differentiating between extension actions and other script actions
Improving user experience and suspicious action classification
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 17 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Describing Suspicious ActionsImproving User Experience
Users need to be able to correctly classify suspicious actions
Let web-pages describe elements themselves
Highlight or scroll to element under question
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 18 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Sensitive AttributesImproving User Experience
Let web-pages taint elements as sensitive
Warn users of operations on sensitive elements
Precise sensitive data flow tracking
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 19 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Remembering User DecisionsImproving User Experience
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 20 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Security GuaranteesResults
Guarantee we alert users if an extension executes a suspicious action
But security relies on users correctly classifying malicious actions
False negatives = attacks made possible
False positives = benign extensions may break
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 21 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Discovered Malicious Extension
Leaked sensitive data to third-party
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 22 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
User Experience SurveyResults
Action Group Size Prevented () Bar Chart Prevented ()
Total 839 641
Change Attr 120 725
Event 80 700
DOM 280 636
Request 80 625
Response 80 625
Create 100 610
Read Attr 99 566
400 600 800
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 23 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Grammarly
All possible suspicious actionsDefault suspicious actions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)LastPass
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
500
1000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)
Google Dictionary
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Suspicious Actions Triggered By Popular Benign Extensions
The quantity of suspicious actions executedduring 15 minutes of extension use
0 5 10 150
5000
10000
15000
20000
Time (min)
Su
spic
iou
sA
ctio
ns
(Cu
mu
lati
ve)StayFocusd
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 24 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
User Experience SurveyResults
Change Attr Event DOM Request Response Create Read Attr0
20
40
60
48 50
60
49 50 4852
2925 25
3426
3227
23 25
16 1724
20 21
Per
cen
tage
()
Do users understand suspicious extension action pop-ups
Understand Kind of Understand Donrsquot Understand
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 25 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Performance ImpactResults
Modified browser sometimes has significant performance overhead
DOM 50 380 increase when creating elements setting attributes
Events 70 increase when dispatching click events
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 26 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Demonstration and Questions
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 27 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
For Further Reading I
N Jagpal E Dingle J P Gravel P Mavrommatis N Provos M ARajab and K ThomasTrends and Lessons from Three Years Fighting Malicious ExtensionsProceedings of the USENIX Security Symposium 2015
A Kapravelos C Grier N Chachra C Kruegel G Vigna and VPaxsonHulk Eliciting malicious behavior in browser extensionsProceedings of the USENIX Security Symposium 2014
Top 9 BrowsersStatCounter 2017
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 28 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Telemetry BenchmarkingDOM Operations
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
modify-element-classname
44894 plusmn 420 47975 plusmn 1004 +69
addRange 38219 plusmn 138 38526 plusmn 211 +08modify-element-id 17203 plusmn 116 17641 plusmn 101 +25modify-element-title 14998 plusmn 111 15121 plusmn 73 +08select-multiple-add 1413 plusmn 09 709 plusmn 05 -499remove child with selection576 plusmn 07 1408 plusmn 12 +1446select-single-add 260 plusmn 01 215 plusmn 01 -172inner html with selection 245 plusmn 06 249 plusmn 06 +12select-long-word 144 plusmn 03 144 plusmn 02 -01long-sibling-list 139 120 plusmn 01 -137select-single-remove 85 plusmn 01 61 -280textarea-dom 34 30 -140div-editable 03 02 -47textarea-edit 02 02 -35
create-element 44180 plusmn 1845 65184 plusmn 779 +475append-child 551 plusmn 12 143 plusmn 02 -740set-element-attribute 145 plusmn 03 700 plusmn 06 +3837
Table A comparison of Blink DOM Operation benchmarks for both the originaland modified Chrome Browser
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 29 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Telemetry BenchmarkingEvents
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
ShadowTrees 6019 plusmn 29 5795 plusmn 130 -37
DeeplyNestedShadowTrees 2353 plusmn 09 2333 plusmn 09 -08EventsDispatching 252 plusmn 01 203 plusmn 01 -193
SimpleClickDispatch 562 plusmn 07 953 plusmn 09 +695
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 30 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31
Telemetry BenchmarkingNetwork Requests
Name Original Browser Modified BrowserAvg (ms) Avg (ms) ∆ Avg ()
send 11738 plusmn 571 12085 plusmn 592 +30
read-response 12081 plusmn 560 12455 plusmn 561 +31
Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26 2017 31 31