Securing Chrome Native Message host

Asked 7/4, 2015 at 19:50 Answered 9/12, 2016 at 17:47

google-chrome-extension chrome-native-messaging

I'm developing an application using Chrome Native Messaging that starts through a Chrome Extension.

My question is: How can I ensure that host application is really the same supplied by me?

I need to ensure the authenticity the application called by extension. How do I get it if I don´t have permission to read registry or check if something was changed?

Circumlocution answered 7/4, 2015 at 19:50 Comment(0)

That is an excellent question, and my guess is the answer is "unfortunately, you can't".

It would be interesting to implement some sort of cryptographic hash like the ones Chrome uses to verify extension files, but that's not a very strong guarantee.

Consider (all of this hypothetical):

You can secure the registry entry / manifest pretty easily this way, but what about the file itself?
Suppose you pin a hash of the executable, then it becomes painful to update it (you'll have to update the extension too in sync). Can be resolved with some kind of public key signature though instead of a hash.
Suppose you pin the executable in the manifest. What about its data files? More importantly, what about the libraries a native app uses?

Securing a Chrome extension/app is easy, since the only "library"/runtime you rely on is Chrome itself (and you put trust into that). A native app can depend on many, many things on the system (like the already mentioned libraries), how do you keep track?

Anyway, this seems like an interesting thing to brainstorm. Take a look the Chrome bug tracker if there is already anything similar, if not - try to raise a feature request. Maybe try some Chromium-related mailing list to ask the devs.

Purdy answered 7/4, 2015 at 20:7 Comment(6)

You can relatively easily sign the executable at build time: calculate the hash for the executable, encrypt it using a private key, and store it in the executable itself. The extension calculates the hash again, then compares it to the one stored in the executable (decrypting it with the public key). So that's a straightforward signing process but as you said, you'd have to do it with every file the native app depends on. – Donelson 7/4, 2015 at 22:18

You could also argue that if the shared libraries have been compromised, you've already lost the game. And I'm not sure how much static linking would improve the situation. – Donelson 7/4, 2015 at 22:20

And about the registry? When I install the host application, I set to extension to call it in some path defined by me. But if somebody change the registry and target to another path with the changed application (not the signed app) , the extension willn´t identify that changed and going to execute normally. There are any way to read the registry to make sure that defined path on registry correspond to true loaded application? – Circumlocution 8/4, 2015 at 11:20

No, not currently as far as I am aware. Like I said, you can try and request that as a feature. – Purdy 8/4, 2015 at 11:22

According to biziclop answer, I could sign each file with a private key and store the hash together with file. After, into extension, I need to open file and validate signature. To each file that need to be open by extension, the user will need give grants or confirm some popup? Are there any way to do this process transparent to user? – Circumlocution 8/4, 2015 at 12:12

@Rodrigo I reiterate: this mechanism does not currently exist. We're being hypothetical here. – Purdy 8/4, 2015 at 12:30

I realize this is an older post, but I thought it would be worth sharing the Chromium team's official response from the bug I filed: https://bugs.chromium.org/p/chromium/issues/detail?id=514936

An attacker who can modify registry or the FS on the user's machine can also modify the chrome binary, and so any type of validation implemented in chrome can be disabled by such attacker by mangling with the chrome's code. For that reason chrome has to trust FS (and anything that comes from local machine).

Costanza answered 9/12, 2016 at 17:47 Comment(0)

If i understood the question correctly,The solution could be

Register your executable with your server while installing along with signing the executable and store your register number inside the executable and server
In Each Request (postMessage) from extension ,send a token in addition which was given by your server
Ask the server for the Next token to send response to the extension by passing the token from extension along with you registry number
Server will respond with the token if you are a registered user
Encrypt it with your registry number and send it to extension along with the token from extension
extension holder browser will ask the server its a good response
With the help of extension token the server will identify the executable registry number and decrypt the executable token and verify which was generated by us(server) for the extension token
Once server confirmed ,Browser will consider it as a response

To be important your registry number should be secure and the client machine cannot able to get it out from the executable(Using proper signing it can be achievable)

As chrome stopped support for Applet ,I implemented the same for smart card reader in chrome

The only loop hole is,The client machine can able to trace each and every request its sending with the help of some tools

If you are able to make your executable communication with your server be secure using some httpOnly Cookie(Client machine cannot able to read) or else the password mechanism ,Most probably a secure solution you can achieve

Leija answered 27/12, 2015 at 21:5 Comment(0)

Recommended topics

Hot tags