Closed Bug 1518798 Opened 6 years ago Closed 6 years ago

Exclude from untrusted modules ping: Win7 SysWOW64 DLLs

Categories

(Core :: General, enhancement, P1)

Product:
Core
Component:
General
Platform:
Unspecified
Windows
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox66 --- fixed

People

(Reporter: ccorcoran, Assigned: ccorcoran)

References

Details

Attachments

(3 files)

UntrustedModules-Win7-WOW64-WithMSVersionInfo.csv
10.47 KB, application/octet-stream
Details
UntrustedModules-Win7-WOW64-WithoutMSVersionInfo.csv
25.09 KB, application/octet-stream
Details
Bug 1518798: Treat SysWOW64 the same as the system directory in the untrusted modules ping
47 bytes, text/x-phabricator-request
Details | Review

The untrusted modules ping currently has a lot of noise: microsoft-looking DLLs (crypt32.dll, imagehlp.dll, ...) that apparently have no digital signature, but which match MS version info. These results occur 100% on Win7 under WOW64.

This was discovered with this query: https://sql.telemetry.mozilla.org/queries/60451

We should adjust our evaluation code to mark these DLLs as trusted, excluding them from the ping.

I confirmed in a clean Win7 x64 VM that these DLLs all have no digital signature.

To target this specific case as it's somewhat of an exception for Windows 7, my proposed solution is to add the following conditions as "trusted":

  • Windows 7
  • and SysWOW64
  • and MS version info

To see approximately which DLLs this will exclude, I can go to this query:
https://sql.telemetry.mozilla.org/queries/60451/source#156077

and add the following condition at the end:

where
    win7rate > 0.9
    and wow64rate > 0.9
    and bitwise_and(highesttrustflags, 4) = 4

This list is a decent approximation of the Microsoft DLLs in SysWOW64. Attached is a .csv of these results.

By running the query above and changing the = 4 to = 0, we see a list of DLLs that will continue to be untrusted which are only reported on Win7 WOW64. Attached a .csv of this.

Many of these are actually MS DLLs but that have no version information or digital signature. I believe the best way to exclude these would be via a whitelist.

Depends on: 1518490

Looking at the logic in ModuleEvaluator_windows.cpp::IsModuleTrusted, the simplest solution will be to just grant SysWOW64 similar trustworthiness as System32. Under WOW64, SysWOW64 is the effective system32 anyway.

Under WOW64, the SysWOW64 directory is the effective system directory. A flag has been added (ModuleTrustFlags::SysWOW64Directory) representing this directory, and we now grant this the same trustworthiness as ModuleTrustFlags::SystemDirectory. Depends on D16013
Keywords: checkin-needed

Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/79f7656b35eb
Treat SysWOW64 the same as the system directory in the untrusted modules ping r=aklotz

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/79f7656b35eb

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: