Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Posted by Ivan Fratric, Project Zero


With Windows 10 Creators Update, Microsoft offered a brand new safety mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is carried out to a Microsoft Edge Content Process, it makes it unimaginable to allocate new executable reminiscence inside a job or adjust current executable reminiscence. The function of that is to make it tougher for an attacker who already received some features in the browser’s Content Process to execute arbitrary code.


Since trendy internet browsers depend on Just-In-Time (JIT) compilation of JavaScript to succeed in higher efficiency and the code compilation in JIT is incompatible with ACG, a customized answer used to be had to permit ACG in Microsoft Edge: The JIT engine used to be separated from the Edge Content Process right into a separate, JIT Process.


We analyzed ACG and attempted to reply to the query of ways helpful this mitigation goes to be in fighting an attacker from exploiting Microsoft Edge. Additionally, we tested the implementation of the JIT server and exposed a couple of problems in it (which have been mounted on the time of publishing this). While the paper makes a speciality of Microsoft Edge, we consider that another try to put in force out-of-process JIT would come across identical issues. Thus we are hoping that this paintings could be helpful for different distributors who would possibly imagine using identical mitigations.

We printed the results of this paintings in a whitepaper that may be discovered right here. All comparable fabrics (equipment, PoC code) will also be discovered right here.

Author: Apple Glory

After this article was published, Apple told Dave Choffnes that his iPhone app, designed to detect net neutrality violations, will be allowed in the iTunes App Store. According to Choffnes, Apple contacted him and explained that the company has to deal with many apps that don't do the things they