Closed Bug 1659438 Opened 5 years ago Closed 5 years ago

Automatically block a module with REDIRECT_TO_NOOP_ENTRYPOINT if it's injected via Import Table

Categories

(Firefox :: Launcher Process, enhancement)

Product:
Firefox
Component:
Launcher Process
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox84 --- fixed

People

(Reporter: toshi, Assigned: toshi)

References

Details

Attachments

(4 files, 3 obsolete files)

Bug 1659438 - Part1: Rename FunctionTableResolver.h/cpp to SharedSection.h/cpp. r=mhowell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1659438 - Part2: Transfer Kernel32ExportsSolver as a shared memory. r=mhowell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1659438 - Part3: Add an array of the dependent modules paths to SharedSection. r=mhowell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1659438 - Part4: Automatic entrypoint redirection. r=mhowell
47 bytes, text/x-phabricator-request
Details | Review

This report indicates some modules are injected into the RDD process via Import Table, which cannot be blocked with prespawn CIG as doing that also blocks process launch. We need to block it with REDIRECT_TO_NOOP_ENTRYPOINT like bug 1603974.

This patch adds an ability to automatically exclude modules, which are
injected via Import Directory Table of the executable, from CIG. This
means we allow such a module to be loaded for free. A following patch
will block it in a different way.

More specifically, this patch introduces a special keyword
ADD_NON_DEFAULT_DEPENDENT_MODULES which will be used in a subsequent patch.
If it's passed as the signed policy's rule, we automatically generate the signed
policy rule for modules which are included in the executable's Import Directory
Table and its name buffer is located outside the executable's image.

The Part1 patch allowed an injected module to be loaded bypassing CIG.

This patch blocks such a module by redirecting its entrypoint to a no-op function
so that the module does not have any chance of code execution.

To achieve that, this patch introduces a new EvalResult REDIRECT_TO_NOOP_ENTRYPOINT
for Chromium's sandbox policy. Our blocklist queries for Chromium's policy, and if
it returns REDIRECT_TO_NOOP_ENTRYPOINT, we apply WindowsDllEntryPointInterceptor.

Depends on D88358

On top of Automatic CIG bypassing and Automatic entrypoint redirection,
we can enable CIG in the RDD process without breaking process launch.
This patch also excludes modules in the directory containing the executable
from CIG as the process needs to load our modules such as mozglue.dll.

Depends on D88359

Comment on attachment 9172297 [details]
Bug 1659438 - Part3: Enable pre-spawn CIG in RDD. r=bobowen

Revision D88360 was moved to bug 1620114. Setting attachment 9172297 [details] to obsolete.

Attachment #9172297 - Attachment is obsolete: true
Attachment #9172295 - Attachment is obsolete: true
Attachment #9172296 - Attachment is obsolete: true

We transfer several ntdll's function addresses to a child process directly via
WriteProcessMemory. This patch changes the way to transfer data to using
a section object as Chromium sandbox does, so that we can transfer more data
with the same cost as transferring a single handle value.

Depends on D96282

This patch adds a list of the executable's dependent module's path to SharedSection
as an array of the offset to a string and a string buffer. A following patch will
use this data from the browser process and the sandboxed processes.

Depends on D96283

Our DLL blocklist has an option REDIRECT_TO_NOOP_ENTRYPOINT, with which we
redirect a target module's entrypoint to a function just returning TRUE so that
it does not have a chance to intereact with our code.

With this patch, we apply the REDIRECT_TO_NOOP_ENTRYPOINT method automatically
to a module which is included in the executable's Import Directory Table.

Depends on D96284

Pushed by dluca@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7b1dd25f146d Part1: Rename FunctionTableResolver.h/cpp to SharedSection.h/cpp. r=mhowell https://hg.mozilla.org/integration/autoland/rev/1f9baedaa556 Part2: Transfer Kernel32ExportsSolver as a shared memory. r=mhowell https://hg.mozilla.org/integration/autoland/rev/e1d85ec6eb97 Part3: Add an array of the dependent modules paths to SharedSection. r=mhowell https://hg.mozilla.org/integration/autoland/rev/1486ff3f5649 Part4: Automatic entrypoint redirection. r=mhowell
Regressions: 1676537

Should this block not consider WindowsDllBlocklistDefs.in ? According to this wiki page dll's should only be blocked as a last resort, but as I understand from these patches all dlls injected through import address table are blocked by default here.

Sorry in advance if this is the wrong place to post this question.

Flags: needinfo?(tkikuchi)

(In reply to Arthur from comment #11)

Should this block not consider WindowsDllBlocklistDefs.in ? According to this wiki page dll's should only be blocked as a last resort, but as I understand from these patches all dlls injected through import address table are blocked by default here.

Sorry in advance if this is the wrong place to post this question.

We have prevented import table tampering before this patch (I think it's since bug 1503538) though we cannot perfectly block them. This change was needed to enable CIG in a sandboxed process. Is this related to bug 1682304?

Flags: needinfo?(tkikuchi)

I see, just wanted to understand if this is an oversight or an intentional change. Thanks.

Yes, this is related to bug 1682304 :)

See Also: → 1682304
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: