search

IAIK / ChromeZero

Google Chrome extension implementing JavaScript Zero
MIT License
149 stars 21 forks source link

Evading ChromeZero #2

Closed karthikbhargavan closed 6 years ago

karthikbhargavan commented 6 years ago

Interesting research! Congratulations. We certainly need protections like JS Zero for browser-based security applications.

It is less clear to me, however, that an extension that injects scripts into a page can protect itself against malicious websites that will seek to circumvent ChromeZero (i.e. how the guarantees of section V.B of the paper are implemented in this prototype extension.)

Maybe I am misunderstanding something about how ChromeZero works, but for example I don't see how it can protect against a malicious page like the one here: http://prosecco.inria.fr/personal/karthik/chromezero.html The page at this URL gets access to navigator.getBattery before ChromeZero can hide it, and this works even if ChromeZero is set up in Tin Foil Hat mode. Am I doing something wrong when setting up the extension?

More generally, the protections of ChromeZero appear to rely on "first runner" status. That is, ChromeZero must be able to inject a script that runs first on a page and proxies all sensitive APIs before other scripts on the web page are allowed to run. First-runner status is quite hard to obtain without help from the browser or the target website, and we discuss alternatives in the following two papers:

misc0110 commented 6 years ago

Thank you for the feedback.

True, ChromeZero relies on being executed before any other JavaScript is executed. Chrome also provides possibilites to achieve this first runner status. However, this PoC does not implement the full protection as described in Section V.B as it is only meant to demonstrate the viability of this approach and should not be used as a production-ready software for every day use. Rather, we provide this extension as a basis for an own extension, and to play around with policies. This is also one of the causes for the issue you see: as the policies are always parsed whenever a new tab is opened, there is a certain time frame in which a (malicious) website could grab a handle to the original function. However, this is only an implementation detail of the current implementation.

Our goal is anyway to have such a protection directly in the browser, as this makes it easier to ensure the protection against malicious websites. ChromeZero should only be a temporary protection against attacks until such measures are widely deployed in browsers.

karthikbhargavan commented 6 years ago

Thanks for the quick response.

ChromeZero should only be a temporary protection against attacks until such measures are widely deployed in browsers.

It would be good to put something like this as a prominent disclaimer for potential users on the github README.md, and to note that ChromeZero cannot currently protect against malicious websites. As it stands, the description of the extension may be misleading: "Chrome Zero is a Google Chrome extension to protect users from microarchitectural and side-channel attacks.

On 11 Dec 2017, at 13:19, Michael Schwarz notifications@github.com wrote:

Thank you for the feedback.

True, ChromeZero relies on being executed before any other JavaScript is executed. Chrome also provides possibilites to achieve this first runner status. However, this PoC does not implement the full protection as described in Section V.B as it is only meant to demonstrate the viability of this approach and should not be used as a production-ready software for every day use. Rather, we provide this extension as a basis for an own extension, and to play around with policies. This is also one of the causes for the issue you see: as the policies are always parsed whenever a new tab is opened, there is a certain time frame in which a (malicious) website could grab a handle to the original function. However, this is only an implementation detail of the current implementation.

Our goal is anyway to have such a protection directly in the browser, as this makes it easier to ensure the protection against malicious websites. ChromeZero should only be a temporary protection against attacks until such measures are widely deployed in browsers.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

misc0110 commented 6 years ago

I added a disclaimer to the top of the page (I guess the note in the Limitation section is easy to overlook and no one reads thus far anyway). We would be happy if someone with more experience in developing browser extensions picks up our work to produce a usable extension.