image
tarnish is a static-analysis tool to aid researchers in security reviews of Chrome extensions. It automates much of the regular grunt work and helps you quickly identify potential security vulnerabilities. This tool accompanies the research blog post which can be found here . If you don't want to go through the trouble of setting this up you can just use the tool at https://thehackerblog.com/tarnish/ . Unpolished Notice & Notes It should be noted that this is an un-polished release. This is the same source as the deployment located at https://thehackerblog.com/tarnish/ . In the future I may clean this up and make it much easier to run but I don't have time right now. To set this up you'll need to understand how to: Configure an S3 bucket (if using auto-scaling) Set up ElasticBeanstalk Use docker-compose Set up redis The set up is a little complex due to a few design goals: Effectively perform static against Chrome extensions Automatically scale up to increased workload with more instances and scale down. Work on a shoestring budget (thus the use of ElasticBeanstalk with Spot Instances). Some quick notes to help someone attempting to set this up: tarnish makes use of Python Celery for analysis of extensions. The Python Celery config uses redis as a broker (this will have to be created). The workers which process extension analysis jobs run on AWS ElasticBeanstalk spot instances. For those unfamiliar, spot instances are basically…