Discover Microsoft browser security and compatibility internals

Discover Microsoft browser security and compatibility internals

BRK4003 Discover Microsoft Browser Security and Compatibility Internals Chris Jackson Sr. Architect Microsoft Gettin Jiggy with Microsoft Browser Security and Compatibility Internals The Notorious CJacks Sr. Arktkt Microsoft Keelhauling Microsoft Browser Security and Compatibility Internals Dread Pirate Jackson Sr. Aaaarchitect Microsoft Microsoft Browser Security and Compatibility Internals Chris Jackson Sr. Architect Microsoft Compatibility Vulnerability Exploitation Landscape Web browser exploitation is a big deal Huge target population Web browsers are the primary portal to the Internet for most people

Extensive attack surface HTML, active scripting, multimedia, graphics, network protocols, Microsoft rushes to fix browser after Attackers exploit un-patched flaw Pwn2Own 2015: Theusers year every web attacks; no fix for XP in IE 8 browser went down Liam Tung (CSO Online) on 06 May, 2013 11:04 Every major web browser showed up, every web browser got hacked BY JIM FINKLE BOSTON Apr 2014 5:55pm EDT One at| Sun least nine27, hacked legitimate sites| hosting IE 811:53 zero GMT day exploit

was |the By of Steven J. Vaughan-Nichols for Networking March 23,the 2015 (04:53 PDT) Topic: Security Department of Labors Site Exposure Matrices website, according to security firm Its a campaign targeted seemingly against U.S.-based currently tried to include AlienVault, the firstattacks todo? report thewon attacks. How wellone didofof the hackers They every prize for a coolfirm, $557,500. That didnt defense and financial

sectors, FireEye Vitor De Souza via email.Zero ItsDay the value of the laptops winners gotspokesman to keep (HP gaming Omensaid Notebooks), unclear what the motives of this attack group are, at this point. It appears to be broadThe DOL site is a repository of information about toxic

substances present at US Department Initiative (ZDI points, and other prizes given to winning researchers. spectrum intel gathering. of Energy facilities and supports compensation claims, suggesting the intended targets were from the nuclear energy sector. He declined to elaborate, though he said one way to protect against them would be to switch to another browser. Significant incentives Bug bounties, closed-door vulnerability/ exploit sales, and mass-market monetization opportunities TIME magazine The Internet is a battlefield, the prize is your information, and bugs are the weapons Lev Grossman, TIME magazine t-to-steal-your-secrets/ Web browser attack methods have matured Targeted attacks Large-scale attacks Web browser vulnerabilities are a preferred vector for compromising activists, enterprises, and governments Spear phishing attacks Coerce a user into browsing to a malicious site Web browser vulnerabilities are the preferred vector for

enabling criminal monetization of compromised PCs Watering hole attacks User browses to a legit (but compromised) site 12 10 8 Source: SpiderLabs 6 Criminals have honed the Exploit-as-a-Service (EaaS) business model 4 2 0 2006 2007 2008 2009 2010 2011 2012 2013 2014

2015 # of Microsoft & Adobe browser-based CVEs exploited in targeted zero day attacks by patch year Well-funded and capable adversaries with specific goals Purchase traffic (via malvertizing or compromised sites) Rent an exploit kit with bullet-proof hosting Purchase a payload to monetize infections (ransomware, etc.) No technical expertise required for EK users just criminal ambition! Increasingly effective vulnerability Researchers and attackers have become increasingly effective at finding web browser vulnerabilities discovery 250 0.19 100% 0.23 90% 200 0.24 80% 0.2 0.38 60%

186 Other Windows Office Browser 0.11 0.19 0.07 0.01 0.05 0.05 0.25 0.31 0.25 0.48 0.48 0.37 0.38 0.27 0.36 0.1 0.09 0.24 0.84 0.19 0.17 0.6 0.59

40% 30% 0.2 116 50 0.05 0.28 50% 226 100 0.15 0.18 70% 150 0.16 0.27 0.22 20% 0.17 0.18 0.2 2008

2009 2010 0.29 10% 0 17 22 22 28 36 2006 2007 2008 2009 2010 34 33 2011 2012 2013 2014

2015 # of Microsoft web browser Remote Code Execution (RCE) CVEs addressed by patch year We experienced a 3.5x y/y increase in 2013 and ~2x y/y in 2014 0% 2006 2007 2011 2012 2013 2014 # of Microsoft Remote Code Execution (RCE) CVEs addressed by product area and patch year Web browser vulnerabilities have accounted for more than 50% of Microsofts RCEs each year since 2013 2015 Attack Cost/Complexity Attackers have improved, we have Microsoft Edge is the most exploit-resistant browser Microsoft has ever shipped! responded. Internet Explorer 8

enables DEP Windows Vista enables ASLR Kills (most) predictable images 2006 Windows 8 adds Force ASLR; IE10 enables it Kills heap spraying of code 2007 2008 Code heap-spraying era 2009 Exploits start relying on address space information disclosures Exploits start relying on nonASLR DLLs to bypass ASLR and ROP to bypass DEP Kills all predictable

images 2010 2011 2012 Non-ASLR DLL era Microsoft Edge IE11 adds CFG and UAF mitigations Improves all aspects of exploit protection and isolation UAF and ROP Exploits are Disrupted 2013 2014 2015 Arbitrary read/write era Microsoft Edge Security Advances Microsoft Edge: Designed for Secure Browsing Objective

Keep our customers safe when browsing the web Strategy Make it difficult and costly for attackers to find and exploit vulnerabilities in Microsoft Edge Tactics Eliminate vulnerabilities before attackers can find them Break exploitation techniques in use by attackers Contain the damage of successful exploitation Prevent navigation to known exploit sites Microsoft Edge is the most secure browser Microsoft has ever shipped Microsoft Edge: AppContainer-based Microsoft Edge uses multiple AppContainers to provide strong sandboxing and isolation improvements Isolation Isolation improvements with MS Edge + AppContainer Addresses all previous limitations of Internet Explorer sandbox Significant attack surface reduction Flash running out-of-content process (starting in Windows 10 Anniversary Update) The Microsoft Edge isolation model addresses all previously known by-design sandbox attacks MS Edge Multi-AC Isolation Model Edge Manag

er Process IPC (AppContainer) Trust Boundary IPC Edge Tab (AppContainer) IPC Tr us t B o u n d ar y Elevatio n Broker (MediumIL) Trust Boundary Flash Conten t Process

Microsoft Edge: 64-bit by design Heap spraying is a standard technique used by nearly every browser exploit Heap spraying example from Metasploit [1] var memory = new Array(); function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) { var index; var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16); var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16); while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; } while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; } 32-bit address space (2GB) 64-bit address space (128TB) High Entropy ASLR introduces 1TB of random variance into where heaps start (24 bits of entropy) Heap sprayed data var retSlide = unescape("%u" + heapSprayAddr_hi + "%u" + heapSprayAddr_lo); while (retSlide.length < heapBlockSize) { retSlide += retSlide; } retSlide = retSlide.substring(0, heapBlockSize - shellcode.length); var heapBlockCnt = (heapSprayAddr - heapBlockSize) / heapBlockSize; for (index = 0; index < heapBlockCnt; index++) { memory[index] = retSlide + shellcode; } } 32-bit address space is small and easy to spray 90% of Windows 10 devices use a 64-bit version of Windows (& MS Edge)

64-bit address space with High Entropy ASLR makes traditional heap spraying impractical Attackers must have an additional information disclosure Tactic Applies To First Shipped Break exploitation techniques Microsoft Edge on Windows 10 July, 2015 (Windows 10 RTM) Memory Garbage Collection (MemGC) The vast majority of remaining use after free issues were in our DOM engine, due to dangling pointers on the heap // 1. Allocate object p = new COptionElement(); // 3. Garbage collection phase frees all objects with no references (stack, registers, heap) // 4. Use freed object p->Foo(); // 2. Zero object, but dont free ZeroMemory(p, sizeof(T)); MemGC is a conservative garbage collector (GC) for our DOM engine that makes DOM use after free issues non-exploitable

Attacker cannot replace the object state because the object has never been freed Dangling object is in a guaranteed zeroed state which will lead to a safe NULL dereference or make it otherwise non-exploitable Tactic Applies To First Shipped Eliminate vulnerabilities Microsoft Edge on Windows 10; IE11 on Windows 7+ (as of 10/2015) July, 2015 (Windows 10 RTM) Microsoft Edge: Attack surface reduction With Microsoft Edge, we seized the opportunity to drastically reduce the attack surface exposed to the web No legacy document modes No legacy script engines (VBScript, JScript) No Vector Markup Language (VML) No Toolbars No Browser Helper Objects (BHOs) No ActiveX controls Tons of code was removed as a result! Tactic Applies To First Shipped

Eliminate vulnerabilities Microsoft Edge on Windows 10 July, 2015 (Windows 10 RTM) Code integrity & image load restrictions Content processes enable code integrity and image load restrictions to prevent malicious DLLs from being loaded Internet New restrictions on DLL loading in Edge Only properly signed images can be loaded (Microsoft, WHQL, Store, or DRM signed) Malware and Grayware Edge Content Process Binaries on remote devices (UNC/WebDAV) cannot be loaded Edge Browser An additional benefit: these restrictions help prevent unwanted DLLs from being injected into Edge content processes Tactic Applies To

First Shipped Break exploitation techniques Edge on Windows 10 November, 2015 (Windows 10 1511 update) Mitigating ROP: Control Flow Guard CFG helps mitigate the standard way that web browser exploits initially hijack control of code execution Typical control flow hijack by corrupting C++ virtual table pointer and calling first gadget of a ROP payload (example from Metasploit [1]) CFG implements a form of coarse-grained control-flow integrity which places new restrictions on indirect calls to ensure that only valid functions can be called indirectly Compile time void Foo(...) { // SomeFunc is address-taken // and may be called indirectly Object->FuncPtr = SomeFunc; } Metadata is automatically added to the image which identifies functions that may be called indirectly Transfers control to a stack pivot ROP gadget With CFG in place, ROP gadgets and other invalid functions

cannot be called indirectly void Bar(...) { // Compiler-inserted check to // verify call target is valid _guard_check_icall(Object>FuncPtr); Object->FuncPtr(xyz); } A lightweight check is inserted prior to indirect calls which will verify that the call target is valid at runtime Runtime Image Load Update valid call target data with metadata from PE image Proces s Start Map valid call target data Indirec t Call Perform O(1) validity check Terminate process if invalid target Tactic Applies To First Shipped Break exploitation techniques

Microsoft Edge on Windows 10 and IE11 on Windows 8.1+ November, 2014 (Windows 8.1 Update 3) Microsoft Edge: Kernel & Flash Attack Protection Kernel Exploits have increased 300% since 2014 Often used by attackers to escape browser sandboxes Microsoft Edge now enforces a allow list for kernel calls from Flash and the content process Windows Kernel NTOS Win32k.sys System Call Allow list Filtered System Calls Microsoft Edge makes kernel attacks more difficult by reducing the kernel components exposed to the browser Edge Content Process Flash player has its own app container, and has been hardened to resist memory corruption Microsoft Edge Browser Flash Host Process Safe Browsing: SmartScreen protection

SmartScreen leverages Machine Learning and Hybrid Analysis to block browser-based attacks Exploits Exploit Kits, APT Watering Holes SmartScreen provides full-spectrum protection against URL and file-borne attacks in the Microsoft Edge and IE browsers To generate blocks SmartScreen combines: machine learning, dynamic/static analysis, Anti-malware telemetry, Bing searchgraph, and Microsoft cloud sources Social Engineering FakeAV, Grayware, Etc.. Telemetry Sources Anti-malware endpoints 300M MSRT 1.2B Bing 2.5T URL Index SmartScreen 600M URL reports Phishing Targeted Attacks, Financial AppRep 50M File look-ups Hotmail/O365/Exchange OS Telemetry Azure/Skype/Microsoft Account Microsoft Edge Security Assurance Microsoft Edge was built together with in house security experts Fuzzing/Static Analysis Greater than 670 machine years devoted to fuzz testing Microsoft Edge and Internet Explorer during development More than 400 billion

DOM manipulations generated from 1 billion html files Hundreds of security issues addressed Code Review/Penetration Testing REDTEAM Security review of all key features resulted in over 70 security review engagements Windows REDTEAM emulates the techniques and expertise of skilled real-world attackers Dozens of security implementation and design issues addressed prior to ship Exploited Microsoft Edge vulnerabilities discovered through penetration testing Security static analysis checkers integrated into Edge builds and End result in improved mitigation of new novel attacks discovered prior to shipping Microsoft Edge

Ongoing Microsoft Bug Bounty Programs Microsoft Edge Security Impact Conclusion Microsoft Edge was built from the ground up to mitigate current and future exploit techniques Each iteration of Microsoft Edge introduces new and innovative security features to keep attackers in a disrupted state Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting 2016 Microsoft Corporation. All rights reserved.

Recently Viewed Presentations

  • Organic Crop Production: Nursery and field management /bio-intensive

    Organic Crop Production: Nursery and field management /bio-intensive

    Mandala gardens. This is a double dug bed prepared in a circular manner with an inlet for water preferably harvested from the house roof behind the kitchen. The beds should be approximately 1.5M wide with a central pit about 1M...
  • &quot;The Ford and Carter Years&quot; - Strongsville City Schools

    "The Ford and Carter Years" - Strongsville City Schools

    "The Ford and Carter Years" 1974 to 1981 I.) Tough Road Ahead President Ford faces: 1. Rough Economy a. high inflation b. high unemployment c. energy problems d. public distrust of govt. On the Watergate Scandal: " Our long national...
  • DECA - Mrs. Gallegos

    DECA - Mrs. Gallegos

    DECA Role Play Strategies. Before it Starts! Be on time! Be dressed professionally. No gum, mints, etc. I See Betsy (ICBETC) Introduction. Competencies. ... Know your role & the judge's role. Budget. Use scrap paper to make a sample budget...
  • State Machines

    State Machines

    Simpler to interconnect with other state machines. Every Moore machine convertible to a Mealy machine. Mealy: Outputs are based on current state and inputs. Each arc/transition labeled with a output. Tend to have fewer states. Outputs shown on transition arcs...
  • HDI and Inequality Milorad Kovacevic Human Development Report

    HDI and Inequality Milorad Kovacevic Human Development Report

    Income index (log transformed) is adjusted by inequality from untransformed income data . Atkinson index cannot be calculated when zero values are present; an arbitrary solution ... a mean of inequalities in the distributions of the three dimensions across the...
  • Magruder&#x27;s American Government

    Magruder's American Government

    Magruder's American Government C H A P T E R 7 The Electoral Process © 2001 by Prentice Hall, Inc.
  • The Carter Administration - Social Studies with Mrs. Wilson

    The Carter Administration - Social Studies with Mrs. Wilson

    What was the Watergate scandal? How did President Nixon leave office? How did Americans feel about government after Watergate? Why? Date. Topic. ... Start by completing the notes handouts using the powerpoints on my website (unit 9) Due Tuesday 5/31....
  • Nourishing Traditional Diets The Key to Vibrant Health

    Nourishing Traditional Diets The Key to Vibrant Health

    Nourishing Traditional Diets The Key to Vibrant Health by Sally Fallon Morell, President The Weston A. Price Foundation Title