Bug 1306406 (injecteject)

[Meta] Mitigations for DLL Injection

NEW
Unassigned

Status

()

P2
normal
2 years ago
a month ago

People

(Reporter: aklotz, Unassigned)

Tracking

(Depends on: 5 bugs, {meta})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

2 years ago
I'm going to be spending Q4 2016 working on improving stability as it relates to DLL injection and other issues created by antivirus software.

This is a meta bug for tracking issues specifically related to the former.
(Reporter)

Comment 1

2 years ago
This is from an email that I wrote to blassey:

I definitely agree that safe mode should be the most aggressive with both kernel-supported (Windows 8 and newer only, sadly) as well as user-mode mitigations. I have lots of ideas about this:

1) We should enable the "extension points" mitigation. That will disable AppInit_DLLs, Windows Hooks, a11y hooks and such (See also bug 1291353). Other injection mechanisms such as CreateRemoteThread() are more difficult to mitigate (though I have some extremist ideas about how to handle that, too)...

2) We could also enable the "require Microsoft-signed DLLs" mitigation with the caveat that it must be temporarily switched off whenever we load our own DLLs. Obviously that opens a window for abuse, but it would be quite effective for process startup injections (the ESET bug comes to mind here).

3) Make safe mode turn the blocklist into a whitelist where we only allow dlls that are either ours or part of the OS. Probably ineffective against a sufficiently motivated attacker, but more than adequate to deal with non-malicious third-parties;

4) I also think that we might want to consider grabbing call stacks of third-party dll injections and feeding them into telemetry. Since we've already hooked into the loader, we could easily do a stackwalk at that time (but only for third-party libs). Having a better understanding of the injected DLL's mechanism of attack would be beneficial for the purposes of developing mitigations.

Updated

2 years ago
Depends on: 1314801

Updated

2 years ago
Priority: -- → P2
(Reporter)

Updated

a year ago
Depends on: 1380335
(Reporter)

Updated

a year ago
Depends on: 1387146
Keywords: meta
Depends on: 1400169
Depends on: 1401721
Depends on: 1384327
Depends on: 1382498
Depends on: 1404961
Depends on: 1406068
Depends on: 1406657
Depends on: 1337105
Depends on: 1389889
Depends on: 1408994
Depends on: 1238735
Depends on: 1415337
Depends on: 1346765
(Reporter)

Updated

a year ago
Depends on: 1418131
(Reporter)

Updated

11 months ago
Depends on: 1430857

Updated

11 months ago
Depends on: 1430092
(Reporter)

Updated

11 months ago
Depends on: 1432653

Updated

11 months ago
Depends on: 1418594
(Reporter)

Updated

11 months ago
Depends on: 1434489
(Reporter)

Updated

10 months ago
Depends on: 1435773
(Reporter)

Updated

10 months ago
Depends on: 1435776
(Reporter)

Updated

10 months ago
Depends on: 1435780
(Reporter)

Updated

10 months ago
Depends on: 1435793
(Reporter)

Updated

10 months ago
Depends on: 1435794
(Reporter)

Updated

10 months ago
No longer depends on: 1238735
(Reporter)

Updated

10 months ago
No longer depends on: 1337105
(Reporter)

Updated

10 months ago
No longer depends on: 1347867
(Reporter)

Updated

10 months ago
No longer depends on: 1387146
(Reporter)

Updated

10 months ago
No longer depends on: 1394550
(Reporter)

Updated

10 months ago
No longer depends on: 1400169
(Reporter)

Updated

10 months ago
No longer depends on: 1400637
(Reporter)

Updated

10 months ago
No longer depends on: 1401721
(Reporter)

Updated

10 months ago
No longer depends on: 1403619
(Reporter)

Updated

10 months ago
No longer depends on: 1418594
(Reporter)

Updated

10 months ago
No longer depends on: 1233556
(Reporter)

Updated

10 months ago
No longer depends on: 1346765
(Reporter)

Updated

10 months ago
No longer depends on: 1356637
(Reporter)

Updated

10 months ago
No longer depends on: 1361410
(Reporter)

Updated

10 months ago
No longer depends on: 1369361
(Reporter)

Updated

10 months ago
No longer depends on: 1384327
(Reporter)

Updated

10 months ago
No longer depends on: 1389889
(Reporter)

Updated

10 months ago
No longer depends on: 1380335
(Reporter)

Updated

10 months ago
No longer depends on: 1382498
(Reporter)

Updated

10 months ago
No longer depends on: 1384106
(Reporter)

Updated

10 months ago
No longer depends on: 1415337
(Reporter)

Updated

10 months ago
No longer depends on: 1406657
(Reporter)

Updated

10 months ago
No longer depends on: 1408994
(Reporter)

Updated

10 months ago
No longer depends on: 1430092
(Reporter)

Updated

10 months ago
No longer depends on: 1430857
(Reporter)

Updated

10 months ago
No longer depends on: 1432653
(Reporter)

Updated

10 months ago
No longer depends on: 1434489
(Reporter)

Updated

10 months ago
No longer depends on: 1314801
(Reporter)

Updated

10 months ago
No longer depends on: 1406068
(Reporter)

Updated

10 months ago
No longer depends on: 1418131
(Reporter)

Updated

10 months ago
No longer depends on: 1404961
Depends on: 1443411
(Reporter)

Updated

6 months ago
Depends on: 1473103
You need to log in before you can comment on or make changes to this bug.