Concerns about communication security between native host and browser extension

[Moaz Eldefrawy]

Hi,

I am building an app that exchanges sensitive data between the extension and the native host. I realized that communication between the 2 is done via Named Pipes (see here). This means, as far as I understand, that other processes can read/write to this pipe. This can be dangerous if we have a malicious process on the end user machine, which led me to a couple of questions:

- Why is chromium using named pipes instead of anonymous pipes?

- What are the best practices to secure the communication between the extension and the NH?

- Would it be possible for chromium to change it to unnamed pipes?

Thank you,

Moaz.

[wOxxOm]

The MS documentation says named pipes can be secured, but as we can see in your link Chromium doesn't specify the necessary parameters.

You can suggest enabling the access control at https://crbug.com.

[Moaz Eldefrawy]

Named pipes can be secured against other users, but not other processes. That means any other process can write/read the pipe data, since the security descriptor for pipes guard against other users and groups not processes. 

[Gaurang Tandon]

> This can be dangerous if we have a malicious process on the end user machine

If the machine is already compromised, then it's outside the Chrome team's threat model, and they likely won't address it. See the docs link here and the Microsoft link inside it. Maybe you can narrow down your definition of "malicious processes" to clarify the scope of your question.

[Moaz Eldefrawy]

Hey Gaurang,

Thanks for the link. It was fascinating to read. I guess it makes sense that chrome doesn't protect itself from other malwares, since there are just too many attack vectors to cover. I think I have got my answer. Thank you. :)

[Eric Lawrence]

These named pipes are named via unpredictable/random names, and only allow one client, meaning you'd need to have a high level of privilege to see their contents unless your code had attached as the client.

If you want to spy on communication between a Native Host and the browser, there are simpler ways-- for example, you can just take over the registration and inject your code as a "proxy" between the browser and the host, an approach I use in my Native Messaging Meddler debugging tool: https://textslashplain.com/2022/01/08/debug-native-messaging/

Trying to institute additional checks into your code to prevent this can be problematic: For example, a popular password management extension tried looking at the process tree to find the Chrome instance that spawned it, and their extension failed when Chrome started spawning the Native Host directly rather than using CMD.exe as a proxy. https://textslashplain.com/2023/03/16/improving-native-message-host-reliability-on-windows/