Open Bug 1306406 (injecteject) Opened 4 years ago Updated 1 year ago

[Meta] Mitigations for DLL Injection

Categories

(Toolkit :: Startup and Profile System, defect, P2)

Unspecified
Windows
defect

Tracking

()

People

(Reporter: aklotz, Unassigned)

References

(Depends on 5 open bugs, )

Details

(Keywords: meta)

I'm going to be spending Q4 2016 working on improving stability as it relates to DLL injection and other issues created by antivirus software.

This is a meta bug for tracking issues specifically related to the former.
This is from an email that I wrote to blassey:

I definitely agree that safe mode should be the most aggressive with both kernel-supported (Windows 8 and newer only, sadly) as well as user-mode mitigations. I have lots of ideas about this:

1) We should enable the "extension points" mitigation. That will disable AppInit_DLLs, Windows Hooks, a11y hooks and such (See also bug 1291353). Other injection mechanisms such as CreateRemoteThread() are more difficult to mitigate (though I have some extremist ideas about how to handle that, too)...

2) We could also enable the "require Microsoft-signed DLLs" mitigation with the caveat that it must be temporarily switched off whenever we load our own DLLs. Obviously that opens a window for abuse, but it would be quite effective for process startup injections (the ESET bug comes to mind here).

3) Make safe mode turn the blocklist into a whitelist where we only allow dlls that are either ours or part of the OS. Probably ineffective against a sufficiently motivated attacker, but more than adequate to deal with non-malicious third-parties;

4) I also think that we might want to consider grabbing call stacks of third-party dll injections and feeding them into telemetry. Since we've already hooked into the loader, we could easily do a stackwalk at that time (but only for third-party libs). Having a better understanding of the injected DLL's mechanism of attack would be beneficial for the purposes of developing mitigations.
Depends on: 1314801
Priority: -- → P2
Depends on: 1387146
Keywords: meta
Depends on: 1400169
Depends on: 1403619
Depends on: 1401721
Depends on: 1384327
Depends on: sandbox-parent
Depends on: 1404961
Depends on: 1406068
Depends on: 1406657
Depends on: 1337105
Depends on: 1389889
Depends on: 1408994
Depends on: 1238735
Depends on: 1415337
Depends on: 1346765
Depends on: 1418131
Depends on: 1430857
Depends on: 1430092
Depends on: 1432653
Depends on: 1418594
Depends on: 1434489
Depends on: 1435773
Depends on: 1435776
Depends on: 1435780
Depends on: 1435793
Depends on: 1435794
No longer depends on: 1238735
No longer depends on: 1337105
No longer depends on: 1347867
No longer depends on: 1387146
No longer depends on: 1394550
No longer depends on: 1400169
No longer depends on: 1400637
No longer depends on: 1401721
No longer depends on: 1403619
No longer depends on: 1418594
No longer depends on: 1233556
No longer depends on: 1346765
No longer depends on: 1356637
No longer depends on: 1361410
No longer depends on: 1369361
No longer depends on: 1384327
No longer depends on: 1389889
No longer depends on: sandbox-parent
No longer depends on: 1384106
No longer depends on: 1415337
No longer depends on: 1406657
No longer depends on: 1408994
No longer depends on: 1430092
No longer depends on: 1430857
No longer depends on: 1432653
No longer depends on: 1434489
No longer depends on: 1314801
No longer depends on: 1406068
No longer depends on: 1418131
No longer depends on: 1404961
Depends on: 1443411
Depends on: 1473103
You need to log in before you can comment on or make changes to this bug.