Back in February 2018, Google’s Project Zero went public with a Microsoft Edge bug that Redmond couldn’t fix in time for its next patch release. Now, the Google researcher – Ivan Fratric – has provided a detailed technical explanation of the problem and says Microsoft’s fix might not be adequate.
With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a processor modify existing executable memory. The goal of this is to make it more difficult for an attacker who already gained some capabilities in the browser’s Content Process to execute arbitrary code.
This whitepaper examines ACG and out-of-process JIT and tries to answer the question of how useful is this mitigation going to be in preventing an attacker from exploiting Microsoft Edge. Additionally, it examines the implementation of the JIT server and describes multiple issues we uncovered in it (fixed at the time of publishing this document). While the paper focuses on Microsoft Edge, we believe that any other attempt to implement out-of-process JIT would encounter similar problems. Thus we hope that this paper would be useful for other vendors who might consider employing similar mitigations.