mvc view pdf : Convert pdf to searchable text SDK control service wpf web page azure dnn cs2015sentinel0-part1929

Sentinel:SecuringLegacyFirefoxExtensions
KaanOnarlioglu
,AhmetSalihBuyukkayhan,WilliamRobertson,
EnginKirda
Northeastern University,CollegeofComputerandInformationScience,Boston,MA USA
Abstract
A poorly y designedwebbrowser r extension witha a security y vulnerability y may
exposethewholesystemtoanattacker.Therefore,attacksdirectedat\benign-
but-buggy"extensions,as wellasextensions thathavebeenwrittenwithma-
licious intent,posesignicantsecurity threats toasystemrunningsuchcom-
ponents. Recentstudies s haveindeedshownthat many Firefox extensionsare
over-privileged, making them m attractive e attack targets. . Unfortunately, , users
currently do not have many options whenit comes toprotectingthemselves
from extensions that t may y potentially be malicious. . Once e installedand d exe-
cuted,theextensionisconsideredtrusted.
ThispaperintroducesSentinel,apolicyenforcerfortheFirefoxbrowser
thatgivesne-grainedcontroltotheuserovertheactionsofexistingJavaScript
Firefoxextensions. Theuseris s abletodenepolicies(orusepredenedones)
and block k commonattacks suchas data exltration, , remotecode e execution,
savedpasswordtheft,preferencemodication,phishing,browserwindowclick-
jacking,andnamespacecollisionexploits. Ourevaluationof f Sentinelshows
thatourprototypeimplementationcaneectivelypreventconcrete,real-world
Firefoxextensionattackswithoutadetrimentalimpactontheuser’sbrowsing
experience.
Keywords: Webbrowsersecurity,extensionsecurity,browserextensions,
maliciousextensions,JavaScriptextensions,Firefox
1. Introduction
Abrowserextension(sometimesalsocalledanadd-on)isausefulsoftware
componentthatextendsthefunctionalityofawebbrowserinsomeway. Pop-
Correspondingauthor.
Emailaddresses: onarliog@ccs.neu.edu(KaanOnarlioglu),bkayhan@ccs.neu.edu
(AhmetSalihBuyukkayhan),wkr@ccs.neu.edu(William Robertson),ek@ccs.neu.edu
(EnginKirda)
URL:http://www.onarlioglu.com(KaanOnarlioglu),http://www.buyukkayhan.com
(AhmetSalihBuyukkayhan),http://www.wilrobertson.com(WilliamRobertson),
http://www.ccs.neu.edu/home/ek/(EnginKirda)
PreprintsubmittedtoComputers&Security
December26,2014
Convert pdf to searchable text - Convert PDF to txt files in C#.net, ASP.NET MVC, WinForms, WPF application
C# PDF to Text (TXT) Converting Library to Convert PDF to Text
change pdf to text; convert pdf file to text
Convert pdf to searchable text - VB.NET PDF Convert to Text SDK: Convert PDF to txt files in vb.net, ASP.NET MVC, WinForms, WPF application
VB.NET Guide and Sample Codes to Convert PDF to Text in .NET Project
c# convert pdf to text; converting pdf to text
ularbrowserssuchasInternet Explorer,Firefox,andChromehavethousands
of extensions that t are e available to their users. . Suchextensions s typicallyen-
hancethebrowsingexperience,andoftenprovideextrafunctionalitythatisnot
availableinthebrowser(e.g.,videoextractors,thumbnailgenerators,advanced
automatedformllers,etc.).Clearly,theavailabilityofconvenientbrowserex-
tensionsmayevenin uencehowpopularabrowseris.Unfortunately,extensions
canalsobemisusedbyattackerstolaunchattacksagainstusers.
A poorly designed d extensionwith asecurity y vulnerability canexpose the
wholesystemtoanattacker.Therefore,attacksdirectedat\benign-but-buggy"
extensions,aswellasextensionsthathavebeenwrittenwithmaliciousintent,
poseasignicantsecuritythreattoasystemrunningsuchacomponent.Infact,
recentstudieshaveshownthatmanyFirefoxextensionsareover-privileged[1],
andthattheydemonstrateinsecureprogrammingpracticesthatcanmakethem
vulnerableto exploitation[2]. . While e manysolutions have beenproposedfor
commonwebsecurityproblems(e.g.,SQLinjection,cross-sitescripting,cross-
siterequestforgery,logic aws,client-sidevulnerabilities,etc.),solutions that
specicallyaimtomitigatebrowserextension-relatedattackshavereceivedless
attention.
Specically, inthecase of Firefox, the Mozilla Platform providesbrowser
extensionswitharichAPIthroughXPCOM(CrossPlatformComponentOb-
jectModel)[3]. XPCOMisaframeworkthatallowsforplatform-independent
developmentofcomponents,eachdeningasetofinterfacesthatoervarious
servicestoapplications. Firefoxextensions,mostlywritteninJavaScript,can
interoperate with h XPCOM via a technology y called d XPConnect. . This s grants
thempowerfulcapabilitiessuchasaccesstothelesystem,network,andstored
passwords. ExtensionsaccesstheXPCOMinterfaceswiththefullprivilegesof
thebrowser;inaddition,thebrowser doesnot imposeanyrestrictions onthe
setofXPCOMinterfacesthatanextensioncanuse.Asaresult,extensionscan
potentiallyaccessandmisusesensitivesystemresources.
Inaddition,Firefoxextensionshavefullcontroloverthevisualappearance
andfunctionalityofthebrowser window,includingallits GUIelements such
asmenus,toolbars,andbuttons. Firefoxandits s extensionsspecifytheiruser
interfacesusingXUL (XML UserInterface Language),theMozillaPlatform’s
XML basedlanguagefor buildingGUIs[4]. . Extensions s canuse the facilities
providedbyXULtocreate,modify,andremoveGUIelementsinthebrowser
window. Whilethisisoriginallyintendedforbenignextensionstoenhancethe
browserGUI,forexamplebyaddingshortcutstoextensionfeaturesforincreased
usability,italsoenablesamaliciousextensiontofreelychangetheestablished
functionalityofexistingXULelementsinunexpectedways(e.g.,toimplement
clickjackingattacksinthebrowserwindow),ordeceptivelyaltersecuritycritical
visualcues suchas thebrowser’sSSLconnectionindicators (e.g.,tofacilitate
phishingattempts).
Lastbutnotleast,theFirefoxextensionframeworkisdesignedtoallowall
extensionstoshare the same JavaScript namespace. . So o far, this s has primar-
ilybeenrecognizedasanon-securitycriticalnamespacecollisionproblemthat
couldcause issues whenmultipleextensions that dene globalvariables with
2
Online Convert PDF to Text file. Best free online PDF txt
PDF document conversion SDK provides reliable and effective .NET solution for Visual C# developers to convert PDF document to editable & searchable text file.
convert pdf scanned image to text; converting image pdf to text
VB.NET Image: Robust OCR Recognition SDK for VB.NET, .NET Image
more companies are trying to convert printed business on artificial intelligence to extract text from documents will be outputted as searchable PDF, PDF/A,TXT
c# pdf to txt; pdf to text
identicalnamesareinstalledtogether[5]. However,amaliciousextensioncould
alsoexploitthisvulnerabilityandaccess variablesdenedbyotherextensions
tosteal sensitive information(e.g.,credentials s storedbyapasswordmanager
extension),ortooverwritethefunctionsandobjectsutilizedbyotherextensions
tomaliciouslyaltertheirbehavior.
Inorder toaddress some of these problems, , Mozilla has s beendeveloping
analternateFirefoxextensiondevelopmentframework,calledtheAdd-onSDK
undertheJetpack Project[6]. . ExtensionsdevelopedusingthisnewSDKben-
etfromimprovedsecuritymechanismssuchasne-grainedaccesscontrolfor
XPCOMcomponents,andisolationbetweendierentframeworkmodules. Al-
thoughthisapproacheectivelycorrectssomeofthecoreproblemsassociated
withthesecuritymodeloflegacyFirefoxextensions,existingextensionsarenot
easily portedtotheAdd-onSDK,andtheAdd-onSDK hasnot beenwidely
adoptedyet. Infact,weanalyzedthetop1,000Firefoxextensionsanddiscov-
eredthatonly10.7%ofthemutilizetheJetpackapproach,whiletheremaining
89.3%remainsaectedbytheaforementionedsecuritythreats.
Hence,ausercurrentlydoesnothavemanyoptionswhenitcomestopro-
tectingherselffromlegacyextensionsthatmaycontainmaliciousfunctionality,
orthathavevulnerabilitiesthatcanbeexploitedbyanattacker.
Inthispaper,wepresentSentinel,apolicyenforcerfortheFirefoxbrowser
thatgivesne-grainedcontroltotheuserovertheactionsoflegacyJavaScript
extensions. Inother r words,theuser isabletodenedetailedpolicies(or use
predenedones)toblockmaliciousactions,andcanpreventconcreteandprac-
ticalextensionattackssuchasdataexltration,remotecodeexecution,saved
passwordtheft,preferencemodication,phishing,browserwindowclickjacking,
andnamespacecollisionexploits. Notethattheworkwedescribeinthispaper
istailoredtosecurelegacyJavaScriptextensions,whichconstitutethevastma-
jorityofpopulerextensions. Adetaileddiscussionof f Sentinel’sapplicability
topopularextensionsispresentedinSection5.3.
Insummary,thispapermakesthefollowingcontributions:
 Wepresentanovelruntimepolicyenforcement t approachbasedonuser-
denedpoliciestoensurethatlegacyJavaScriptFirefoxextensionsdonot
engageinundesiredmaliciousactivity.
 Our r proposed approach provides s protection n against t all three classes s of
extensionattacksdescribed,namely,XPCOMattacks,maliciousmodi-
cationstoXULelements,andJavaScriptnamespacecollisions.
 Weprovideadetaileddescriptionofourdesignandtheimplementation
oftheprototypesystem,whichwecallSentinel.
 WeprovideacomprehensiveevaluationofSentinelthatshowsthatour
system caneectively preventconcrete, real-worldFirefoxextensionat-
tackswithoutadetrimentalimpactontheuser’sbrowsingexperience,and
is applicable tothe vastmajorityofexistingextensionsinacompletely
automatedfashion.
3
C# Create PDF Library SDK to convert PDF from other file formats
The PDF document file created by RasterEdge C# PDF document creator library is searchable and can be fully populated with editable text and graphics
convert pdf into text; convert scanned pdf to word text
VB.NET PDF Convert to HTML SDK: Convert PDF to html files in vb.
Why do we need to convert PDF document to HTML webpage One is that compared with HTML file, PDF file (a not be easily edited), is less searchable for search
change pdf to txt file; convert pdf to txt file format
Thispaperisanextendedversionoftheauthors’previousworktitledSecur-
ingLegacyFirefoxExtensionswithSentinel[7].Whilethescopeofourprevious
workislimitedtoproposingadefenseagainstXPCOM-basedextensionattacks,
thispaperdescribesandaddressestwoadditionalattackclasses(i.e.,malicious
XUL element manipulations andJavaScript namespacecollision n exploits) ) for
achievingmorecomprehensiveFirefoxextensionsecurity. Wedescribethede-
sign and implementation of f the new features of f Sentinel, , and expand the
XPCOM-relatedsections. Wethenprovideanupdatedsecurityevaluationby
testingthesystemwiththreeadditionalmaliciousextensionsthatdemonstrate
thenewlyintroducedattacks. We e alsoupdate the performance, applicability
andusabilityevaluationofthesystem,andprovideadditionalinsightsintothe
adoptionrateoftheJetpackframeworkbyanalyzingthreedatasetsoftop1,000
popularextensionsdownloadedduringa21-monthperiod.
The paper r is structured as s follows. . Section n 2 presents the threat t model
weassumeforthisstudy. Section3explainsourapproach,andhowwesecure
extensionswithSentinel.Section4presentsimplementationdetailsofthecore
systemcomponents. Section5describesexampleattacksandthepolicies s we
implementedagainstthem,andpresentstheevaluationof Sentinel.Section6
presentstherelatedwork,andnally,Section7concludesthepaper.
2. ThreatModel
The threatmodelweassumefor thisworkincludes bothmalicious exten-
sions,and\benign-but-buggy"(or\benign-but-not-security-aware")extensions.
For the e rst scenario, we assume that a Firefox user r can be e tricked d into
installingabrowserextensionspecicallydevelopedwithmaliciousintent,such
asexltratingsensitiveinformationfromhercomputertoanattacker. Inthe
second scenario, the e extensiondoes not t have e any malicious s functionality y by
itself, but containsbugs s that canserve as attack vectors,or poorly designed
features,whichcanjeopardizethesecurityoftherestofthesystem.
Inbothscenarios,weassumethattheextensionshavefullaccesstoXPCOM
and XUL L elements as s all Firefox x extensions normally do. . The e browser, and
thereforeallextensions,canrunwiththeuser’sprivilegesandaccessallsystem
resourcesthattheusercan.
OurthreatmodelprimarilycoversJavaScriptextensions,whichaccordingto
ouranalysisconstitutesthevastmajorityoftopFirefoxextensions(seediscus-
sioninSection5.3),andattackscausedbytheirmisuseofXPCOMandother
extension-speciccapabilitiessuchasmanipulatingXULelementsandexploit-
ingglobalJavaScriptnamespacecollisions. Vulnerabilitiesinbinaryextensions,
external binary components inJavaScript extensions, browser r plug-ins (e.g.,
FlashPlayer),orthecorebrowsercodeitselfareoutsidethescopeofourthreat
model. Other r well-known n JavaScript attacks s that t do not t utilize the Firefox
extensionframeworkandthatarenotspecictobrowserextensions(e.g.,mali-
ciousDOMmanipulationontheHTMLcontentofwebpages)arealsooutside
thescopeofthiswork.
4
C# PDF Convert to HTML SDK: Convert PDF to html files in C#.net
library also makes PDF document visible and searchable on the Internet by converting PDF document file to Use C#.NET Demo Code to Convert PDF Document to
text from pdf; convert pdf to openoffice text
C# PDF: C# Code to Draw Text and Graphics on PDF Document
Draw and write searchable text on PDF file by C# code in both Web and Windows applications. C#.NET PDF Document Drawing Application.
best pdf to text converter for; convert pdf to text for
User
Browser
S
ENTINEL
Original 
Sanitized
Extension
Extension
Figure1: Overviewof Sentinelfromtheuser’s perspective.
3. SecuringUntrustedExtensions
Figure1 illustrates s anoverview w of f Sentinel l fromthe user’s perspective.
First,theuserdownloadsanextensionfromtheInternet,forinstancefromthe
ocialMozillaFirefox add-ons website. . Beforeinstallation,theuserruns s the
extension through the Sentinel preprocessor, , whichautomatically y analyzes
andmodies the extensionwithouttheuser’sintervention, , toenableruntime
monitoring. ThesanitizedextensionistheninstalledtotheSentinel-enabled
Firefox as usual. . At t anytime, the user cancreate andeditpoliciesat aper-
extensiongranularity.
Internally,atahighlevel, Sentinelmonitorsandintercepts s allXPCOM
andXULelementaccessesrequestedbyJavaScriptFirefoxextensions atrun-
time,analyzesthesource,target(s),typeandparametersoftheoperationper-
formed,andallowsordeniesaccessbyconsultingalocalpolicydatabase.
Intherestofthissection,wepresentourapproachtodesigningeachofthe
corecomponentsof Sentinel,anddescribehowtheyoperateindetail.
3.1. InterceptingXPCOMOperations
Whileit is possible todesignSentinelasamonitorlayerinsideXPCon-
nect,suchanapproachwouldrequireheavymodications tothebrowserand
theMozillaPlatform,whichwouldinturncomplicatetheimplementationand
deploymentofthesystem. Furthermore,continuedmaintenanceofthesystem
against the rapidly evolvingFirefox sourcecode would d raiseadditional chal-
lenges. In n order r to o avoidthese problems, , we e took an n alternative e design n ap-
proachwhichinsteadinvolvesaugmentingthecriticalJavaScript objects that
provideextensionswithinterfaces toXPCOM withsecurepolicyenforcement
capabilities.
JavaScriptextensionscommunicatewithXPCOMusingXPConnect,through
aJavaScript objectcalledComponents. . Thisobjectisautomaticallyaddedto
5
VB.NET PDF Convert to Word SDK: Convert PDF to Word library in vb.
Convert PDF to Word in both .NET WinForms and ASP.NET webpage. Create high quality Word documents from both scanned PDF and searchable PDF files without losing
change pdf to text for editing; c# extract text from pdf
C# HTML5 Viewer: Load, View, Convert, Annotate and Edit Word
C# users can convert Convert Microsoft Office Word to searchable PDF online, create multi to add annotations to Word, such as add text annotations to
convert pdf to text document; convert pdf to txt
privileged JavaScript t scopes of Firefox andextensions. . Toillustrate, , the ex-
ample belowshows how to obtainanXPCOM object instance(in n this s case,
nsIFileforlocallesystemaccess)fromtheComponentsobject.
var file = Components.classes["@mozilla.org/file/local;1"].
createInstance(Components.interfaces.nsILocalFile);
Onceinstantiatedinthisway,extensionscaninvoketheobject’smethodsto
performvariousoperationsviaXPCOM.Forexample,thebelowcodesnippet
demonstrateshowtodeleteale.
file.initWithPath("/home/user/some_file.txt");
file.remove();
Sentinel replaces theComponentsobjectwithadierentobject thatwe
callComponentsProxy,andallotherXPCOM objectsobtainedfromit with
anobjectthatwecallObjectProxy. Thesetwonewobjecttypeswraparound
theoriginals,isolatingextensionsfrom directaccesstoXPCOM.Eachopera-
tionperformedontheseobjects,suchasinstantiatingnewobjectsfromthem,
invokingtheirmethods,oraccessingtheirproperties,isrstanalyzedbySen-
tinelandreportedtoaPolicyManagercomponent,whichdecideswhetherthe
operationshouldbepermitted. Basedonthedecision,theComponents s Proxy
(orObject Proxy)eitherblockstheoperation,orforwardstherequesttothe
originalXPCOMobjectitwraps. Ofcourse,iftheperformedoperationreturns
another XPCOMobject tothecaller,it isalsowrappedbyanObject t Proxy
beforebeingpassedtotheextension.
ThisprocessisillustratedwithanexampleinFigure2. InStep1,abrowser
extensionrequeststheComponents ProxytoinstantiateanewFileobject.In
Step2,theComponents Proxy,beforefulllingtherequest,consultsthePolicy
Manager to o check k whether r the extensionis allowedtoaccess the lesystem.
Assumingthataccessisgranted,inStep3,theComponents Proxyforwardsthe
requesttotheoriginalComponents,whichinturncommunicateswithXPCOM
tocreatetheFileobject. InStep4,the e Components s Proxy y wraps the File
objectwithanObject Proxyandpassesittotheextension.Steps5,6,7,and8
followasimilarpattern. Theextensionrequestsdeletionofthele,theObject
ProxywrappingtheFileobjectchecksforwritepermissionstothegivenle,
receivesapositiveresponse,andforwardstherequesttotheencapsulatedFile
object,whichperformsthedeletionviaXPCOM.
3.2. InterceptingXULDocumentManipulations
SimilartotheapproachtakenwithXPCOMwrappers,Sentinelalsomon-
itorstheinterfacesthatareusedbyextensionstomanipulatethebrowserwin-
dows(alsocalledXUL documentsinMozillaparlance).
The Firefox GUIis built by a set of base XUL L les s that come with h the
browser’s source code. . Oneway y extensions canmanipulate thestructures of
theseXULdocumentsis bysupplyingtheirownXUL overlays. . XULoverlays
6
5 delete
8 return 
success
1 create 
File
4 return 
File in Object Proxy
Browser
Extension
File Object
Object Proxy
Components
Components Proxy
XPCOM
Policy 
Manager
2
3
6
7
System
Figure 2: : An n overview w of f Sentinel, , demonstrating g how a le e deletion operation n can n be
interceptedandcheckedwithapolicy.
arepartialXULlesthatcomewithanextension’spackage;theycandescribe
newXULelementstobeaddedonabaseXULdocument,ormodifytheelements
denedinthebasedocumentitself.Thebelowexampleshowshowanextension
canrequestinitsmanifestletoloadaXULoverlay.
overlay chrome://browser/content/browser.xul
chrome://example-extension/browserOverlay.xul
WhenFirefoxloads the givenexampleextension,itparsestheextension’s
manifest le, , locates s the two o les s inthe corresponding g Mozilla application’s
package(referencedbychrome URLs),andthenmerges thetwolestobuild
thenalXULdocument.Inthisexample,\browser.xul"isthelethatdescribes
themainFirefoxwindow,and\browserOverlay.xul"isprovidedbytheextension
asanoverlay.IfthetwomergedlesdeneXULelementsthatsharethesame
id attribute, those elements aremergedtogether. . Inthis s way, , anextension
overlaycanmodifyorevenremoveXULelementsthataredenedinthebase
XULle,aswellasaddnewones.
Extensionscanalsodynamically modifyaXUL document duringruntime
usingtheDOM(DocumentObjectModel)API.DOMisaconventionfor rep-
resentingHTML orXML content as atree ofnode objects sothat scripting
languagescaneasilymanipulatethem. Similarly,FirefoxusestheDOMtorep-
resentXULdocumentsasatreeofXULnodes,andprovidesextensionswithan
APItomodifythisstructure. FirefoxinternallyrepresentseachXULdocument
as anobject calledXULDocument andall l XUL L nodes as XULElement objects.
7
Extensions can n thenaccess s theseobjects inJavaScript andutilize the DOM
APIasfollows.
// "window.document" contains the e XULDocument
// simply "document" also works, , "window" " is implicit
// get File menu element
menu = document.getElementById("file-menu");
// create e a new menuitem element t & & set its label
newItem = document.createElement("menuitem");
newItem.setAttribute("label", "This is a new item!");
// add new element at the end of f File e menu
menu.appendChild(newItem);
As arststepto o interposingonXUL L documentmanipulationoperations,
weintroducetwoadditionalwrapperobjects,analogoustotheXPCOMproxies
discussedpreviously.SentinelwrapsXULDocumentwithanobjectcalledDoc-
umentProxy,andallXULElementnodesintheDOMtreewithElementProxy
objects. TheElement t Proxyallows s Sentineltomonitoralloperationsper-
formedonexistingXULelements(e.g.,attributeandpropertymodications),
toreportthemtothePolicyManager,andtoallowordenytheoperationac-
cordingto the policies s denedin n the e system. . The e Document t Proxy, , onthe
other hand,makesit possible tointercept the dynamiccreationof newXUL
elementsonadocumentbyextensionssothatSentinelcancorrectlymonitor
thoseaswell.
However,unlikethepreviouslydescribedXPCOMmonitorcomponent,Sen-
tinelneedsanadditionalpieceofinformationtobeabletomakemeaningful
policydecisions forXUL-relatedoperations. . Namely,thesystemneedstobe
able toassociate every XUL element withanowner (i.e.,the extensionthat
createdit,orthebrowseritself). Inthiswaywecanapplypoliciesdepending
ontheidentityoftheextensionrequestingaXUL operation,andthat of the
owner ofthetargetedXUL element. . To o this s end, , Sentinelincludesa XUL
Database. Beforesystemdeployment,thisdatabaseisinitializedwithXULel-
ementidattributesextractedfromtheXUL documents intheFirefoxsource
codebyasimplestaticanalysisofthecorrespondingXMLles,andtheseIDs
aremappedtoanowner,inthiscasethebrowser.Afterwards,everytimeanew
extensionisinstalled,SentinelalsoanalyzesthenewlysuppliedXULlesand
updatestheXUL DatabasewithadditionalID-to-owner associations for that
extension. Notethatdue e totheoverlay mechanism, anextensioncouldalso
specify existing idvalues inits XUL les tomodify existing XUL elements.
InsuchcaseswhereanID-to-ownerassociationalreadyexistsinthedatabase,
Sentineldoesnotupdatetheownershipofthecorrespondingelement,lesta
maliciousextensionattemptstohijackanelementownedbyadierententity.
Inthisway,anextensionthat,forinstance,redenesthebrowser’sFileMenu
8
ID to addanew w menu item does s not become theowner of the entiremenu,
but only owns the newly addeditem. . Oncethis s databaseis built, , Sentinel
canquery it for XUL element owners andeectivelyenforce policies suchas
allowingelementmanipulationonlyonanextension’sownelements.
Finally,aspecialcaseappliestoXULelementsdynamicallycreatedbyan
extensionatruntime. Elements s arenormally initializedwithoutanID value;
therefore,Document Proxy y intercepts element creationandassigns arandom
IDtothenewelementtocapturetheID-to-ownerrelationship,andupdatesthe
XULdatabasewiththistemporarymapping.Later,iftheownerextensionsas-
signsanotherIDtothiselement,thedatabaserecordsareupdatedaccordingly.
3.3. PreventingNamespaceCollisionExploits
InFirefox,therootoftheDOMtreerepresentingaXULdocumentcanbe
accessedusingtheJavaScriptpropertywindow. This s propertycontainsaper-
manent,globalwindowobjectthatimplicitlyownseveryvariableandfunction
denedintheglobalscopeofagivenbrowserwindowasitspropertiesandmeth-
ods,respectively. Thebelowcodesnippetillustratesthisimplicitrelationship,
andhowtheuseofthewindowpropertyisoptionalintheglobalscope.
// "text" implicitly becomes a property of "window"
var text = "Hello World!";
// these two statements are equivalent
alert(text);
alert(window.text);
VariablesandfunctionsdenedbyFirefoxextensionsrunninginthecontext
ofthesameXUL documentareautomaticallyownedbythesamewindowob-
ject,asopposedtoeachextensiongettingitsownisolatedJavaScriptnamespace.
This has theundesiredsideeect ofallowingextensionstoreador overwrite
sensitiveinformationstoredbyothers,orredenethefunctionstheyuse. More-
over,anextensionrunninginthecontextofadierentXULdocumentcanstill
usetheAPIsprovidedbythebrowser (e.g.,XPCOM) toretrieve the window
objectsofdierentXULdocumentsandaccesstheirscopeaswell.
Inordertoremediatethisattacksurface,wedeneonenalwrapperobject,
Window Proxy y that t replaces the original object stored d in the e globalwindow
property. Thesoleresponsibilityofthiswrapperistointerposeonaccessesor
assignmentstoproperties/methodsoftheoriginalwindow,determinetheorigin
oftherequestandtheownerofthetargetproperty/method,anddecidewhether
toallowtheoperationbyconsultingthePolicyManager.
TheownerofaJavaScriptnameisresolvedbyqueryingaNamesDatabase.
This databaseisinitializedbefore Sentinelisdeployedby statically analyz-
ingtheJavaScriptlesthatcomewithFirefoxsourcecodetoextractglobally
dened names, andsetting their r owners s as s the browser. . Next, , every time a
newextensionisinstalled,theirJavaScriptles areanalyzedas well,andthe
databaseisupdatedwiththenamestheyown.Notethatthisanalysisandthe
9
correspondingpolicychecksareonlyperformedforthenamesdenedandac-
cessedintheglobalscopeofscriptssincethisgranularityissucienttoprevent
thedescribedexploits.Inparticular,Sentinelonlydecideswhetherextensions
canaccessoroverwriteatargettop-levelvariable,functionorobject;onceac-
cesstoanobjectisgranted,accesstospecicpropertiesandmethodsofthose
objects are notsubjectedto o policy checks. . A A deeper inspectionof the inner
scopes would d unnecessarily degrade e the e performance of the e browser without
anyadditionalsecuritybenet.
3.4. PolicyManager
The Policy Manager is thecomponent of Sentinel thatmakesallpolicy
decisions by y comparing g the informationprovidedby y the e Components s Proxy,
Object Proxy, , Document t Proxy, , Element t Proxyand Window Proxy y objects,
describingsecurity critical XPCOM,XUL document andwindowoperations,
withalocalPolicyDatabase. BasedonthePolicyManager’sresponse,thecor-
respondingproxyobjectdecides whether the requestedoperationshouldpro-
ceedorbeblocked.Alternatively,Sentinelcouldbeconguredtopromptthe
usertomakeadecisionwhennocorrespondingpolicyisfound,andthePolicy
Managercanoptionallysavethisdecisioninthepolicydatabaseforfutureuse.
Inorder toallowne-grainedpolicy decisions,aproxyobject creates and
sends tothePolicyManager apolicydecisionticket t foreachrequestedoper-
ation. Aticket t cancontainthefollowingpiecesofinformationdescribingthe
interceptedoperation:
 Origin: : Nameoftheextensionthatrequestedtheoperation.
 Component/InterfaceType(for r XPCOMoperationsonly): : The
typeoftheobjecttheoperationisperformedon.
 ElementID(for r XULdocumentoperations only): : TheIDofthe
XULelementtheoperationisperformedon.
 JavaScript t Identier (for Windowoperationsonly): : Thenameof
the global JavaScript t variable, , function or object the operationis s per-
formedon.
 Operation Name e (Optional): : Name e of the methodinvoked d or the
property accessed, ifavailable. . If f the operationis to instantiate anew
object,theticketwillnotcontainthisinformation.
 Arguments s (Optional): : Theargumentspassedtoaninvokedmethod,
ifavailable. Iftheoperationistoinstantiateanewobject,oraproperty
access,theticketwillnotcontainthisinformation.
Givensuch apolicy y decisionticket, the Policy Manager rst resolves the
owneroftheXULelementortheJavaScriptidentierspecied,ifany,byquery-
ing the XUL L Database or Names Database respectively. . Next, , it checks s the
PolicyDatabasetondanentrywiththeticket’sspecications. Policyentries
10
Documents you may be interested
Documents you may be interested