Thursday, May 10, 2018

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Posted by Ivan Fratric, Project Zero

With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or modify existing executable memory. The goal of this is to make it more difficult for an attacker who already gained some capabilities in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 browser’s Content Process to execute arbitrary code.

Since modern web browsers rely on Just-In-Time (JIT) compilation of JavaScript to achieve better performance and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code compilation in JIT is incompatible with ACG, a custom solution was needed to enable ACG in Microsoft Edge: The JIT engine was separated from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Edge Content Process into a separate, JIT Process.

We analyzed ACG and tried to answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question of how useful this mitigation is going to be in preventing an attacker from exploiting Microsoft Edge. Additionally, we examined cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JIT server and uncovered multiple issues in it (that have been fixed at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time of publishing this). While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper focuses on Microsoft Edge, we believe that any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attempt to implement out-of-process JIT would encounter similar problems. Thus we hope that this work would be useful for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendors who might consider employing similar mitigations.

We published cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result of this work in a whitepaper that can be found here. All related materials (tools, PoC code) can be found here.

No comments:

Post a Comment