Open Bug 1381050 Opened 4 years ago Updated 2 months ago

[meta] Deploy Arbitrary Code Guard (ACG) on Windows

Categories

(Core :: Security: Process Sandboxing, task, P2)

All
Windows
task

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: meta, parity-edge, sec-want, Whiteboard: sb+)

Arbitrary Code Guard (ACG) is a Windows mechanism that prevents a process from allocating, remapping, or modifying code pages. This is a significant disruption to how exploits are developed, as it is not possible to VirtualAlloc and set up a payload. Enabling this will be a significant evolution in Firefox's security posture.

This doesn't eliminate exploits altogether of course, the next evolution will be pure ROP-based exploits (or OS kernel exploits) - but ACG is cutting edge in exploitation mitigation and process hardening. 

ACG requires an OOP JIT (Bug 1348341). It does not require JIT Constant Blinding (Bug 1376819), but it would not be effective to land ACG without it. Similarly, it does not require CIG (Bug 1378417), but it would not be effective without it.

ACG is enabled by calling SetProcessMitigationPolicy with the PROCESS_MITIGATION_DYNAMIC_CODE_POLICY setting. PROCESS_MITIGATION_DYNAMIC_CODE_POLICY supports an AllowThreadOptOut setting that can be used to migrate to full enforcement. 

More information:
https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/
https://twitter.com/DrPizza/status/834965743800320001
https://msdn.microsoft.com/en-us/library/windows/desktop/mt706243(v=vs.85).aspx
https://github.com/tomrittervg/sandboxsandbox/blob/master/output/acg.txt
Do we have a JIT in both content and chrome processes?
Whiteboard: sb+
See Also: → sandbox-parent
Priority: -- → P3
No longer depends on: 1361159
Duplicate of this bug: 1361159
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> Do we have a JIT in both content and chrome processes?

yes, I believe so.  I would assume that OOP JIT (Bug 1348341) would use one JIT process for each Master or Content process, but it could use one JIT OOP process for all Content and the Master process.  This would be a tradeoff between security and memory use.
(In reply to Randell Jesup [:jesup] from comment #3)
> (In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> > Do we have a JIT in both content and chrome processes?
> 
> yes, I believe so.  I would assume that OOP JIT (Bug 1348341) would use one
> JIT process for each Master or Content process, but it could use one JIT OOP
> process for all Content and the Master process.  This would be a tradeoff
> between security and memory use.

To me it seems like it would make more sense to not use the OOP JIT for the chrome process at all. If you can make the chrome process JIT code it's basically already too late.
(In reply to Tom Schuster [:evilpie] from comment #4)
> (In reply to Randell Jesup [:jesup] from comment #3)
> > (In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> > > Do we have a JIT in both content and chrome processes?
> > 
> > yes, I believe so.  I would assume that OOP JIT (Bug 1348341) would use one
> > JIT process for each Master or Content process, but it could use one JIT OOP
> > process for all Content and the Master process.  This would be a tradeoff
> > between security and memory use.
> 
> To me it seems like it would make more sense to not use the OOP JIT for the
> chrome process at all. If you can make the chrome process JIT code it's
> basically already too late.

I agree, the parent process doesn't need an OOP JIT. It seems unlikely we could even deploy ACG if it had it, when things like a11y.
(In reply to Tom Ritter [:tjr] from comment #5)
> I agree, the parent process doesn't need an OOP JIT. It seems unlikely we
> could even deploy ACG if it had it, when things like a11y.

FWIW I don't think a11y would be harmed by ACG.
MS disables ACG when IMEs are present:

> In the Windows 10 Creators Update, CIG is enabled by default for Microsoft Edge, except for scenarios where certain incompatible extensions are present (such as IMEs) – in these scenarios, both CIG and ACG are currently disabled by default.
See Also: → 1474451
Blocks: 1483752
See Also: → 1673194
Type: enhancement → task
Keywords: meta

I'm turning this a meta because we did in fact ship this in a bunch of processes like Socket and RDD, though we had to back it out of RDD because a MS decoder turned out to have a JIT in it (bug 1673194).

OS: Unspecified → Windows
Priority: P3 → P2
Hardware: Unspecified → All
Summary: Deploy Arbitrary Code Guard (ACG) on Windows → [meta] Deploy Arbitrary Code Guard (ACG) on Windows
You need to log in before you can comment on or make changes to this bug.