
Strengthening the Microsoft Edge Sandbox - vezycash
https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
======
israrkhan
Edge was the most hacked browser [1] (5 times) in pwn2own 2017 contest. In
contrast chrome faced only one unsuccessful hacking attempt.

This blog post looks more like a damage control measure.

[1] [http://www.tomshardware.com/news/pwn2own-2017-microsoft-
edge...](http://www.tomshardware.com/news/pwn2own-2017-microsoft-edge-
hacked,33940.html)

~~~
roryisok
> chrome faced only one unsuccessful hacking attempt

One UNsuccessful attempt? Does that mean only one attempt on chrome was made?

~~~
israrkhan
The team that was trying to hack chrome, could not do it in allocated time.

[https://www.zerodayinitiative.com/blog/2017/3/15/the-
results...](https://www.zerodayinitiative.com/blog/2017/3/15/the-results-
pwn2own-2017-day-one)

------
cwyers
It's nice that they're investing in this. I just wish Edge didn't suck. I have
tried using it as my primary browser and it's just not there. It crashes,
trying to move tabs around is a pain, sometimes it just isn't performant.

~~~
egeozcan
It opens web pages very fast, there's that. But, alas, everything else just
feels sluggish. In my crazy high-end system, it takes a second for the menu to
show up after right clicking the address bar.

What I want is IE's rendering speed with Chrome's UI and Firefox's
extensibility (the good old system, not the new one).

~~~
wolf550e
Chrome's extension model is required for security, that's why firefox and edge
adopted it and abandoned their old extension/plugin models.

------
mwcampbell
The earlier post on Code Integrity Guard and Arbitrary Code Guard is also
interesting:

[https://blogs.windows.com/msedgedev/2017/02/23/mitigating-
ar...](https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-
native-code-execution/)

Microsoft should apply these same restrictions to all UWP apps. Yes, that
means banning JIT compilation, as Apple does on iOS. And desktop applications
shouldn't be able to inject DLLs into UWP applications and system components.

~~~
comex
In theory, they've always banned JIT in UWP apps, at least by default. UWP
apps can't use VirtualProtect; they have to use VirtualProtectFromApp, which
only allows JIT if you have the "codeGeneration" capability (and always
enforces W^X). I don't use Windows so I don't know how it interacts with this
new thing. Maybe the protection wasn't enforced at the kernel level?

On any platform, it makes sense to enforce code signing by default as a
hardening measure, but some apps like browsers cannot operate without a JIT.
So there needs to be some exception process - possibly requiring the use of a
separate process for JIT compilation, as Edge now does. You don't want to end
up like iOS where Safari is the only browser permitted on the platform.

~~~
contextfree
Modern apps completely banned JIT back in the Windows 8.x days (except for the
CLR which was whitelisted), the APIs/capabilities you mentioned were only
added in Windows 10.

------
youdontknowtho
On the subject of the actual content of the article, it was a really
interesting read. I would like to hear more about how they profiled or "tuned"
the app containers for API access. That might be really useful for other devs.

------
ryuuchin
I didn't see this mentioned in the blog posts but I believe Edge also has
win32k filtering[1] to reduce the kernel attack surface as well (added in the
AU). This is different from the win32k lockdown that Chrome uses which
completely blocks all win32k syscalls but instead allows a whitelist(?) for
acceptable syscalls to help reduce the attack surface (I'm not actually sure
how it works).

It seems the signature is checked before allowing this mitigation so only
Microsoft signed applications can currently use this mitigation[1].

[1] [https://googleprojectzero.blogspot.com/2016/11/breaking-
chai...](https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html)
(see Wrap Up section near the end)

~~~
justinschuh
So, the thing we call "win32k lockdown" on Chrome is just a term for the
various things we had to do to enable ProcessSystemCallDisablePolicy on our
sandboxed renderer processes (the processes that handle Web content).
ProcessSystemCallDisablePolicy is a very big hammer, because enabling it prior
to process launch means the kernel blocks _all_ GDI and NTUser calls, such
that the process can't interact with the UI or graphics subsystems. Chrome can
do this because our UI and graphics acceleration layer is split into our
unsandboxed browser process and the more weakly sandboxed GPU process.

The difference with Edge and IE is that they run their UI and graphics stack
in their content processes, which are an analog to Chrome's renderer
processes. However, any UI on Windows requires win32k kernel support, so they
can't disable it like Chrome does. Instead, Edge uses its win32k filter to
limit the attack surface to only the calls that they need. So, where Chrome's
architecture allowed us to make an aggressive cut, Microsoft is instead
working to iteratively shut off the same attack surface in Edge.

And yes, the win32k whitelist is currently restricted to EdgeHTML processes by
the kernel and signature enforcement. I know this because we currently sandbox
our GPU process at about the same level as an IE content process, and we
wanted to use the win32k whitelist get the same improvements as Edge.
Unfortunately, Microsoft is still working on the capability, and is not ready
to expose it to third-parties yet (but has given signs they may be willing to
do so in the future).

Source: I lead engineering on Chrome security and am the original architect of
Chrome's win32k lockdown.

------
mtgx
I assume this wasn't available in the browser when Pwn2Own happened, because
Edge was hit _hard_ by the security teams there.

[https://www.zerodayinitiative.com/blog/](https://www.zerodayinitiative.com/blog/)

------
partycoder
Edge's only practical purpose is to download Chrome or Firefox, and I hope it
stays that way.

MS made it very painful for website developers to support Internet Explorer,
and having to support IE crippled the web for years.

Today there is not a single developer that likes Internet Explorer or its
successor Edge. You will not see a single human being on planet Earth with an
Edge t-shirt, and if you see one, it's probably that person's laundry day.

The e logo only brings memories of your computer freezing or getting millions
of stupid popups or a browser window with hundreds of toolbars (when you used
someone else's computer), and conversations asking people to try another
browser, or having to switch my user-agent string or create a VM with the sole
purpose of running an IE only website, or having to stay late at work because
some user with IE experienced problems.

Plus, Microsoft is dishonest and used their browser to mine Google Search
activity and send it to their servers to improve Bing. And god knows what
else.

Microsoft is selfish, plays dirty and does not deserve a seat at the table of
people deciding web standards. They can make Chakra 100x faster, make you a
sandwich and jump through hoops but nobody trusts them anymore so it doesn't
matter.

We all lived a decade under the tyranny of Internet Explorer and we had
enough. If there is a product that deserves to go away, it's Microsoft's web
browser. The day it does I am going to throw away a party, and I am sure many
others will as well. Please give up, use your time on something else.

------
Someone1234
Is the AC Access Scope whitelisting described in the article available to all
UWP apps in the Creators Update?

I understand it was added specifically for Edge sandboxing, but it sounds like
useful functionality (albeit niche) for other apps that deal with untrusted
data routinely.

PS - In terms of technology and standards Edge is a pretty solid browser. I
love the Dark theme.

~~~
youdontknowtho
Yeah, actually app container tech is available to any native developer. (Maybe
there's a .Net API for dealing with them. Don't know.)

~~~
Someone1234
I wasn't asking about app containers in general. I was asking specifically
about the AC Access Scope whitelisting discussed in the article.

Essentially the thing they added in the Creators Update and are discussing
here.

------
thr0waway1239
From the comments section:

"I want to support MS, I’m a development partner. But I feel like you guys
spend way too much time thinking about how to push intrusive ad’s into the OS
and trying to get easy ad-based revenue from your browser: Talking very good
security talk but not walking a very good security walk."

The commenter also makes a comment about how Chrome the older browser was
found to be much more secure than Edge the newer one. And then a bunch of
technical stuff from someone responding to it (the respondent is not the
person writing the article).

Am I the only one who feels MSFT would simply be better off not writing these
articles at all if they don't particularly care for engaging with their
audience?

Oh, and you can't leave a comment without signing in with a _Microsoft_
account. :-)

~~~
Ezhik
A Microsoft website requiring a Microsoft account to make comments? The
horror!

------
tapirl
just checked my website visitor log. Only 1% people use Edge. It is not a
surprise at all.

The best way to secure a browser is just like what chrome and firefox do: open
source it.

~~~
Someone1234
Chrome isn't Open Source. Chromium is Open Source.

Chrome adds a lot of proprietary bits including (but not limited to): Audio &
Video Codecs, Flash Plugin, Crash Reporting, Metrics, et al.

~~~
DannyBee
"Crash Reporting, Metrics,"

These are not proprietary, actually.

" Audio & Video Codecs,"

Neither is this, last i looked (but i haven't looked in a while).

~~~
comex
The "proprietary" codec support is open source but disabled by default in a
Chromium build unless you pass proprietary_codecs=1. Why? Patents. AFAIK,
Google pays for a license from the patent holders to decode the codecs within
Chrome, but not an open-ended license for anyone using the source code. This
is not their fault and no different from how many Linux distros don't include
MP3 decoding by default. (Incidentally, the last MP3 patent is set to expire
at the end of this year…)

~~~
HappyTypist
The last MP3 patent already expired a week ago actually.

------
najajomo
CIG, ACG, RCE .. I thought DEP and ASLR was supposed to have already cured
RCE. Lets face it, when are they going to admit that the Windows memory model
running on Intel hardware is defective. Lets see how long this comment stays
up before modded into oblivion.

~~~
evmar
"Please don't bait other users by inviting them to downvote you or proclaim
that you expect to get downvoted."
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

