New tool: Neto, our Firefox, Chrome and Opera extensions analysis suite

Monday, May 7, 2018

In the innovation and laboratory area at ElevenPaths, we have created a new tool which is used to analyze browser extensions. It is a complete suite (also extensible with its own plugins) for the extensions analysis; it is easy to use and provides useful information about extension features of both Firefox and Chrome or Opera.

Neto herramienta imagen



Why should we analyze extensions?
The extensions contain relevant information, such as the version, default language, permissions required for their correct operation or the URL addresses’ structures on which the extension will operate. At the same time, it contains pointers to other archives such as the relevant file path from the HTML file (which will load by clicking on their icon) or JavaScript file references which should run both in the background (background scripts) as with each page that the browser loads (content scripts).

However, the file analysis which make up an extension can also reveal the existence of files which should not be present in production applications. Amongst them, files could appear linked to the management of versions such as GIT or other temporary and backup files.

Of course, there are also extensions which are created as malware, adware, or to spy on the user. There are many and various examples, especially recently in Chrome (where it has already reached a certain level of maturity) and Firefox. Right now it is common for mining code to be hidden within the extensions.

The tool
It is a tool written in Python 3 and distributed as a PIP packet, which facilitates the automatic installation of the dependencies.
$ pip3 install neto

In systems in which they are not provided by the administration privileges, you can install the packet to the current user:

$ pip3 install neto --user

Once installed, it will create for us an entry point in the system, in which we can call the application command lines from any path.

Funcionalidades principales de Neto imagen
The main functionalities of the tool 

There are two functionalities which we have included in this first version:
  • The analyzer itself (extensible through the plugins in order to widen their potential)
  • A daemon with a JSON RPC interface which will allow us to interact with the analyzer from other programming languages.

The different analyzer options can be explored with neto analyser --help. In any case, Neto will allow us to process extension in three different ways:
  • Indicating the local extension path which we have downloaded (with the option -e), 
  • Indicating the system directory in which we have various extensions (with the option -d)
  • Downloading it directly from a URI online (with the option -u). 

In all of these cases, the analyzer will store the result as a JSON in a new file called ‘output’, although this path is also configurable with the command -o.

In order to interact with each other in different programming languages, we have created a daemon which runs a JSON-RPC interface. In this way, if we start it with neto daemon we can get the Python analyzer to perform certain tasks, such as the analysis of extensions stored locally (indicating the "local" method;) or which are available online at (indicating the "remote" method). In both cases, the parameters expected by the daemon correspond to the local or remote extension paths to be scanned. The available calls can be consulted with the "commands" method and can be carried out directly with curl as follows.

$ curl --data-binary '{"id":0, "method":"commands", "params":[], "jsonrpc": "2.0"}'  -H 
'content-type:text/json;' http://localhost:14041

Instead, if we are programming in Python, Neto has also been designed to function as a library. 

$ Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 16:07:46) [MSC v.1900 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> from neto.lib.extensions import Extension
>>> my_extension = Extension ("./sample.xpi")

In this way, we can Access the different analysis characteristics carried out against the extension, or by accessing the properties directly.…
$ >>> my_extension.filename
'adblock_for_firefox-3.8.0-an+fx.xpi'
>>> my_extension.digest
'849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'
>>> import json
>>> print(json.dumps(my_extension.manifest, indent=2))
{
  "name": "AdBlock",
  "author": "BetaFish",
  "version": "3.8.0",
  "manifest_version": 2,
  "permissions": [
 "http://*/*",
 "https://*/*",
 "contextMenus",
 "tabs",
 "idle",
…


Here is a short clip which shows its basic use.



Plugins and how you can contribute
As it is free software there is the possibility for those who want to contribute something to it through the Github repository. The plugin structure which we can find in the neto.lib.plugins allows for the addition of new static analysis criteria whilst taking into account the analyst's needs. This becomes a Neto in an analysis suite which we expect to be powerful. Furthermore, the advantage of being distributed through PyPI as a packet is that whenever a new functionality is added, it can be installed with pip by indicating the 'upgrade' option.

$ pip install neto --upgrade
 

Soon we will have more ways to distribute it and information.

Innovation and laboratory

No comments:

Post a Comment