Bug 1306406 (injecteject)

[Meta] Mitigations for DLL Injection

NEW
Unassigned

Status

()

defect
P2
normal
3 years ago
4 months ago

People

(Reporter: aklotz, Unassigned)

Tracking

(Depends on 5 bugs, {meta})

Firefox Tracking Flags

(Not tracked)

Details

()

I'm going to be spending Q4 2016 working on improving stability as it relates to DLL injection and other issues created by antivirus software.

This is a meta bug for tracking issues specifically related to the former.
This is from an email that I wrote to blassey:

I definitely agree that safe mode should be the most aggressive with both kernel-supported (Windows 8 and newer only, sadly) as well as user-mode mitigations. I have lots of ideas about this:

1) We should enable the "extension points" mitigation. That will disable AppInit_DLLs, Windows Hooks, a11y hooks and such (See also bug 1291353). Other injection mechanisms such as CreateRemoteThread() are more difficult to mitigate (though I have some extremist ideas about how to handle that, too)...

2) We could also enable the "require Microsoft-signed DLLs" mitigation with the caveat that it must be temporarily switched off whenever we load our own DLLs. Obviously that opens a window for abuse, but it would be quite effective for process startup injections (the ESET bug comes to mind here).

3) Make safe mode turn the blocklist into a whitelist where we only allow dlls that are either ours or part of the OS. Probably ineffective against a sufficiently motivated attacker, but more than adequate to deal with non-malicious third-parties;

4) I also think that we might want to consider grabbing call stacks of third-party dll injections and feeding them into telemetry. Since we've already hooked into the loader, we could easily do a stackwalk at that time (but only for third-party libs). Having a better understanding of the injected DLL's mechanism of attack would be beneficial for the purposes of developing mitigations.
Depends on: 1314801
Priority: -- → P2
Depends on: 1380335
Depends on: 1387146
Keywords: meta
Depends on: 1400169
Depends on: 1403619
Depends on: 1401721
Depends on: 1384327
Depends on: sandbox-parent
Depends on: 1404961
Depends on: 1406068
Depends on: 1406657
Depends on: 1337105
Depends on: 1389889
Depends on: 1408994
Depends on: 1238735
Depends on: 1415337
Depends on: 1346765
Depends on: 1418131
Depends on: 1430857
Depends on: 1430092
Depends on: 1432653
Depends on: 1418594
Depends on: 1434489
Depends on: 1435773
Depends on: 1435776
Depends on: 1435780
Depends on: 1435793
Depends on: 1435794
No longer depends on: 1238735
No longer depends on: 1337105
No longer depends on: 1347867
No longer depends on: 1387146
No longer depends on: 1394550
No longer depends on: 1400169
No longer depends on: 1400637
No longer depends on: 1401721
No longer depends on: 1403619
No longer depends on: 1418594
No longer depends on: 1233556
No longer depends on: 1346765
No longer depends on: 1356637
No longer depends on: 1361410
No longer depends on: 1369361
No longer depends on: 1384327
No longer depends on: 1389889
No longer depends on: 1380335
No longer depends on: sandbox-parent
No longer depends on: 1384106
No longer depends on: 1415337
No longer depends on: 1406657
No longer depends on: 1408994
No longer depends on: 1430092
No longer depends on: 1430857
No longer depends on: 1432653
No longer depends on: 1434489
No longer depends on: 1314801
No longer depends on: 1406068
No longer depends on: 1418131
No longer depends on: 1404961
Depends on: 1443411
Depends on: 1473103
You need to log in before you can comment on or make changes to this bug.