Browser Security White PAPER Final PAPER 2017-09-19 Markus VERVIER, Michele Orrù, Berend-Jan WEVER, Eric Sesterhenn X41 D-SEC GmbH Dennewartstr. 25-27 D-52068 Aachen Amtsgericht Aachen: HRB19989 Browser Security White PAPER Revision History Revision Date Change Editor 1 2017-04-18 Initial Document E. Sesterhenn 2 2017-04-28 Phase 1 M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 3 2017-05-19 Phase 2 M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 4 2017-05-25 Phase 3 M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 5 2017-06-05 First DrAFT M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 6 2017-06-26 Second DrAFT M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 7 2017-07-24 Final DrAFT M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 8 2017-08-25 Final PAPER M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 9 2017-09-19 Public Release M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER X41 D-SEC GmbH PAGE 1 OF 196 Contents 1 ExECUTIVE Summary 7 2 Methodology 10 3 Introduction 12 3.1 Google Chrome . 13 3.2 Microsoft Edge . 14 3.3 Microsoft Internet Explorer (IE) . 16 4 Attack Surface 18 4.1 Supported Standards . 18 4.1.1 WEB TECHNOLOGIES . 18 5 Organizational Security Aspects 21 5.1 Bug Bounties . 21 5.1.1 Google Chrome . 21 5.1.2 Microsoft Edge . 22 5.1.3 Internet Explorer . 22 5.2 Exploit Pricing . 22 5.2.1 ZERODIUM . 23 5.2.2 Pwn2Own . 23 5.2.3 VULDB . 25 5.3 History OF VULNERABILITIES . 26 5.3.1 Update FREQUENCIES . 26 5.3.2 Time TO PATCH . 27 6 Enterprise FEATURES 29 6.1 LEGACY AND Compatibility FEATURES . 29 6.1.1 Chrome LEGACY Browser Support . 29 6.1.2 Microsoft Edge Enterprise Mode AND Compatibility List . 30 6.2 Enterprise Management Via Group POLICIES . 33 2 Browser Security White PAPER 7 SandboXING 35 7.1 SandboXING TECHNIQUES . 35 7.1.1 Integrity LEVELS . 36 7.1.2 AppContainers . 37 7.1.3 Job (Kernel) Objects . 40 7.1.4 Other SandboXING Settings AND TECHNIQUES . 40 7.1.5 SandboX Inter Process Communication (IPC) . 42 7.2 SandboX TESTING METHODOLOGY . 43 7.3 Google Chrome SandboX . 46 7.3.1 Main PROCESS . 46 7.3.2 type=crashpad-handler AND type=watcher PROCESSES . 47 7.3.3 type=renderer AND type=ppapi PROCESSES . 47 7.3.4 type=gpu-process . 48 7.4 Microsoft Edge SandboX . 49 7.4.1 Manager AppContainer . 50 7.4.2 Non-Management AppContainers . 52 7.5 Internet Explorer SandboX (Protected Mode) . 56 7.6 SandboX Access Comparison . 57 8 Process AND Origin Isolation 59 8.1 Implementations OF Process Isolation . 60 8.1.1 Process LEVEL Isolation IN Google Chrome . 60 8.1.1.1 Google Chrome Experimental Site-Per-Process Support . 63 8.1.2 Process LEVEL Isolation IN Microsoft Edge . 64 8.1.3 Process LEVEL Isolation IN Internet Explorer . 66 8.2 Process SpaWNING AND Exploitation . 66 9 Hardening AND Exploit Mitigation 67 9.1 TESTING Methodology . 67 9.2 Nomenclature . 68 9.3 Hardening TECHNIQUES . 68 9.3.1 /GS ..................................................... 69 9.3.2 ArbitrARY Code Guard (ACG) . 69 9.3.3 Address Space LaYOUT Randomization (ASLR) . 69 9.3.4 Allocator Hardening . 71 9.3.4.1 Allocators OF Google Chrome . 71 9.3.4.2 Allocators OF Microsoft Edge AND Internet Explorer . 73 9.3.4.3 JavaScript MEMORY MANAGEMENT IN Internet Explorer . 74 9.3.4.4 JavaScript MEMORY MANAGEMENT IN Microsoft Edge . 74 9.3.5 Control Flow Guard (CFG) . 74 9.3.6 Child Process POLICY . 75 9.3.7 Data ExECUTION PreVENTION (DEP) . 76 9.3.8 HIGHENTROPYVA . 76 X41 D-SEC GmbH PAGE 3 OF 196 Browser Security White PAPER 9.3.9 Extension POINT DLLs . 77 9.3.10 InVALID Handles . 77 9.3.11 Low-integrity BINARIES . 77 9.3.12 Remote DLLs . 77 9.3.13 Syscall ProXYING . 78 9.3.14 Out-of-process JavaScript COMPILATION . 79 9.3.15 Safe Structured ExCEPTION Handling (SafeSEH) / Structured ExCEPTION Handling OvERWRITE PreVENTION (SEHOP) . 79 9.3.16 Signature CHECKS . 80 9.3.17 System FONTS ONLY . 81 9.3.18 VTGuard . 81 10 Early Adoption OF Hardening FEATURES 83 10.1DEP.......................................................... 84 10.2 Address Space LaYOUT Randomization (ASLR) . 84 10.3 HIGHENTROPYVA . 84 10.4CFG.......................................................... 84 11 WEB Security 85 11.1 Same Origin POLICY Enforcement . 86 11.2 PORT Banning Enforcement . 87 11.3 Content Security POLICY Enforcement . 89 11.4 HTML5 FEATURES Support And New WEB TECHNOLOGIES . 90 11.4.1 Service WORKERS . 91 11.4.2 WebRTC And ORTC . 93 11.4.3 History Management . 95 11.4.4 WebAssembly . ..