Posted by Ivan Fratric, Project Zero
With Windows 10 Creators Update, Microsoft offered a brand new safety mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is carried out to a Microsoft Edge Content Process, it makes it unimaginable to allocate new executable reminiscence inside a job or adjust current executable reminiscence. The function of that is to make it tougher for an attacker who already received some features in the browser’s Content Process to execute arbitrary code.
We analyzed ACG and attempted to reply to the query of ways helpful this mitigation goes to be in fighting an attacker from exploiting Microsoft Edge. Additionally, we tested the implementation of the JIT server and exposed a couple of problems in it (which have been mounted on the time of publishing this). While the paper makes a speciality of Microsoft Edge, we consider that another try to put in force out-of-process JIT would come across identical issues. Thus we are hoping that this paintings could be helpful for different distributors who would possibly imagine using identical mitigations.