Skip to main content
Top

2020 | OriginalPaper | Chapter

HMAC and “Secure Preferences”: Revisiting Chromium-Based Browsers Security

Authors : Pablo Picazo-Sanchez, Gerardo Schneider, Andrei Sabelfeld

Published in: Cryptology and Network Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Google disabled years ago the possibility to freely modify some internal configuration parameters, so options like silently (un)install browser extensions, changing the home page or the search engine were banned. This capability was as simple as adding/removing some lines from a plain text file called Secure Preferences file automatically created by Chromium the first time it was launched. Concretely, Google introduced a security mechanism based on a cryptographic algorithm named Hash-based Message Authentication Code (HMAC) to avoid users and applications other than the browser modifying the Secure Preferences file. This paper demonstrates that it is possible to perform browser hijacking, browser extension fingerprinting, and remote code execution attacks as well as silent browser extensions (un)installation by coding a platform-independent proof-of-concept changeware that exploits the HMAC, allowing for free modification of the Secure Preferences file. Last but not least, we analyze the security of the four most important Chromium-based browsers: Brave, Chrome, Microsoft Edge, and Opera, concluding that all of them suffer from the same security pitfall.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Appendix
Available only for authorised users
Literature
2.
go back to reference Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: EuroS&P, pp. 47–61, April 2018 Aggarwal, A., Viswanath, B., Zhang, L., Kumar, S., Shah, A., Kumaraguru, P.: I spy with my little eye: analysis and detection of spying browser extensions. In: EuroS&P, pp. 47–61, April 2018
5.
go back to reference Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. Commun. ACM 54(9), 91–99 (2011)CrossRef Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. Commun. ACM 54(9), 91–99 (2011)CrossRef
6.
go back to reference Banescu, S., Pretschner, A., Battré, D., Cazzulani, S., Shield, R., Thompson, G.: Software-based protection against changeware. In: CODASPY, pp. 231–242 (2015) Banescu, S., Pretschner, A., Battré, D., Cazzulani, S., Shield, R., Thompson, G.: Software-based protection against changeware. In: CODASPY, pp. 231–242 (2015)
7.
go back to reference Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: CHES, pp. 215–236 (2016) Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: CHES, pp. 215–236 (2016)
8.
go back to reference Carlini, N., Felt, A.P., Wagner, D.: An evaluation of the google chrome extension security architecture. In: USENIX, pp. 97–111 (2012) Carlini, N., Felt, A.P., Wagner, D.: An evaluation of the google chrome extension security architecture. In: USENIX, pp. 97–111 (2012)
9.
go back to reference Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: CCS, p. 1687–1700 (2018) Chen, Q., Kapravelos, A.: Mystique: uncovering information leakage from browser extensions. In: CCS, p. 1687–1700 (2018)
10.
go back to reference Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Selected Areas in Cryptography, pp. 250–270 (2003) Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Selected Areas in Cryptography, pp. 250–270 (2003)
13.
go back to reference Dhawan, M., Ganapathy, V.: Analyzing information flow in Javascript-based browser extensions. In: ACSAC, pp. 382–391 (2009) Dhawan, M., Ganapathy, V.: Analyzing information flow in Javascript-based browser extensions. In: ACSAC, pp. 382–391 (2009)
14.
go back to reference Forrest, S., Somayaji, A., Ackley, D.H.: Building diverse computer systems. In: Workshop on Hot Topics in Operating Systems, pp. 67–72, May 1997 Forrest, S., Somayaji, A., Ackley, D.H.: Building diverse computer systems. In: Workshop on Hot Topics in Operating Systems, pp. 67–72, May 1997
16.
go back to reference Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: S&P, pp. 115–130 (2011) Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: S&P, pp. 115–130 (2011)
18.
go back to reference Jagpal, N., et al.: Trends and lessons from three years fighting malicious extensions. In: USENIX, pp. 579–593 (2015) Jagpal, N., et al.: Trends and lessons from three years fighting malicious extensions. In: USENIX, pp. 579–593 (2015)
19.
go back to reference Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX, pp. 641–654 (2014) Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX, pp. 641–654 (2014)
20.
go back to reference Karami, S., Ilia, P., Solomos, K., Polakis, J.: Carnus: exploring the privacy threats of browser extension fingerprinting. In: NDSS (2020) Karami, S., Ilia, P., Solomos, K., Polakis, J.: Carnus: exploring the privacy threats of browser extension fingerprinting. In: NDSS (2020)
21.
go back to reference Kotzias, P., Matic, S., Rivera, R., Caballero, J.: Certified pup: abuse in authenticode code signing. In: CCS, pp. 465–478 (2015) Kotzias, P., Matic, S., Rivera, R., Caballero, J.: Certified pup: abuse in authenticode code signing. In: CCS, pp. 465–478 (2015)
22.
go back to reference Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. Internet Engineering Task Force (IETF) (1997) Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. Internet Engineering Task Force (IETF) (1997)
28.
go back to reference Microsoft: How windows 10 uses the trusted platform module (2020) Microsoft: How windows 10 uses the trusted platform module (2020)
30.
go back to reference Picazo-Sanchez, P., Tapiador, J., Schneider, G.: After you, please: browser extensions order attacks and countermeasures. Int. J. Inf. Securi. 1–16 (2019) Picazo-Sanchez, P., Tapiador, J., Schneider, G.: After you, please: browser extensions order attacks and countermeasures. Int. J. Inf. Securi. 1–16 (2019)
31.
go back to reference Rogowski, R., Morton, M., Li, F., Monrose, F., Snow, K.Z., Polychronakis, M.: Revisiting browser security in the modern era: new data-only attacks and defenses. In: EuroS&P, pp. 366–381, April 2017 Rogowski, R., Morton, M., Li, F., Monrose, F., Snow, K.Z., Polychronakis, M.: Revisiting browser security in the modern era: new data-only attacks and defenses. In: EuroS&P, pp. 366–381, April 2017
32.
go back to reference Sánchez-Rola, I., Santos, I., Balzarotti, D.: Extension breakdown: security analysis of browsers extension resources control policies. In: USENIX, pp. 679–694 (2017) Sánchez-Rola, I., Santos, I., Balzarotti, D.: Extension breakdown: security analysis of browsers extension resources control policies. In: USENIX, pp. 679–694 (2017)
33.
go back to reference Sanfelix, E., Mune, C., de Haas, J.: Unboxing the white-box. In: Black Hat EU 2015 (2015) Sanfelix, E., Mune, C., de Haas, J.: Unboxing the white-box. In: Black Hat EU 2015 (2015)
34.
go back to reference Sjösten, A., Van Acker, S., Picazo-Sanchez, P., Sabelfeld, A.: LATEX GLOVES: protecting browser extensions from probing and revelation attacks. In: NDSS (2018) Sjösten, A., Van Acker, S., Picazo-Sanchez, P., Sabelfeld, A.: LATEX GLOVES: protecting browser extensions from probing and revelation attacks. In: NDSS (2018)
35.
go back to reference Somé, D.F.: Empoweb: empowering web applications with browser extensions. In: S&P, pp. 227–245, May 2019 Somé, D.F.: Empoweb: empowering web applications with browser extensions. In: S&P, pp. 227–245, May 2019
36.
go back to reference Starov, O., Nikiforakis, N.: Xhound: quantifying the fingerprintability of browser extensions. In: S&P, pp. 941–956 (2017) Starov, O., Nikiforakis, N.: Xhound: quantifying the fingerprintability of browser extensions. In: S&P, pp. 941–956 (2017)
37.
go back to reference Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: WWW, p. 3244–3250 (2019) Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: WWW, p. 3244–3250 (2019)
40.
go back to reference Urban, T., Tatang, D., Holz, T., Pohlmann, N.: Towards understanding privacy implications of adware and potentially unwanted programs. In: ESORICS, pp. 449–469 (2018) Urban, T., Tatang, D., Holz, T., Pohlmann, N.: Towards understanding privacy implications of adware and potentially unwanted programs. In: ESORICS, pp. 449–469 (2018)
41.
go back to reference Varshney, G., Misra, M., Atrey, P.K.: Detecting spying and fraud browser extensions: short paper. In: MPS, pp. 45–52 (2017) Varshney, G., Misra, M., Atrey, P.K.: Detecting spying and fraud browser extensions: short paper. In: MPS, pp. 45–52 (2017)
43.
go back to reference Xing, X., et al.: Understanding malvertising through ad-injecting browser extensions. In: WWW, pp. 1286–1295 (2015) Xing, X., et al.: Understanding malvertising through ad-injecting browser extensions. In: WWW, pp. 1286–1295 (2015)
44.
go back to reference Zhao, R., Yue, C., Yi, Q.: Automatic detection of information leakage vulnerabilities in browser extensions. In: WWW, pp. 1384–1394 (2015) Zhao, R., Yue, C., Yi, Q.: Automatic detection of information leakage vulnerabilities in browser extensions. In: WWW, pp. 1384–1394 (2015)
Metadata
Title
HMAC and “Secure Preferences”: Revisiting Chromium-Based Browsers Security
Authors
Pablo Picazo-Sanchez
Gerardo Schneider
Andrei Sabelfeld
Copyright Year
2020
DOI
https://doi.org/10.1007/978-3-030-65411-5_6

Premium Partner