Wanna hacked Microsoft’s Edge browser? Google’s explained


Back in February 2018, Google’s Project Zero went public with a Microsoft Edge bug that Redmond couldn’t fix in time for its next patch release. Now, the Google researcher – Ivan Fratric – has provided a detailed technical explanation of the problem and says Microsoft’s fix might not be adequate.

Fratric discovered that an interaction between just-in-time JavaScript compilation, Edge’s Chakra JavaScript engine, and Arbitrary Code Guard that gave attackers an arbitrary code execution vector.

With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a processor modify existing executable memory. The goal of this is to make it more difficult for an attacker who already gained some capabilities in the browser’s Content Process to execute arbitrary code.

Since modern web browsers rely on Just-In-Time (JIT) compilation of JavaScript to achieve
better performance and the code compilation in JIT is incompatible with ACG, a custom solution was needed to enable ACG in Microsoft Edge: The JIT engine was separated from the Edge Content Process into a separate, JIT Process. In this design, Content Process sends JavaScript bytecode to the JIT Process, which then compiles it into machine code and maps the machine code into the Content Process.

This whitepaper examines ACG and out-of-process JIT and tries to answer the question of how useful is this mitigation going to be in preventing an attacker from exploiting Microsoft Edge. Additionally, it examines the implementation of the JIT server and describes multiple issues we uncovered in it (fixed at the time of publishing this document). While the paper focuses on Microsoft Edge, we believe that any other attempt to implement out-of-process JIT would encounter similar problems. Thus we hope that this paper would be useful for other vendors who might consider employing similar mitigations.



Please enter your comment!
Please enter your name here