Presented at
Black Hat Europe 2018,
Dec. 6, 2018, 2:45 p.m.
(50 minutes)
Microsoft Edge, the new default browser for Windows 10, is heavily sandboxed. In fact, it is probably the only browser with its main process running inside a sandbox. Microsoft even goes to great length to design and implement platform security features exclusively for Microsoft Edge.
In this talk, we will take a deep dive into the Microsoft Edge security architecture. This includes sandbox initialization, browser broker implementation, inter-process communication, and renderer security isolation. We will present two logical sandbox escape bug chain consists of three bugs for Microsoft Edge, one of which we've used in Pwn2Own, and the other two are completely new. They are entirely different from memory corruption bugs, as all we've done is abusing normal features implemented in the browser and operating system.
Presenters:
-
Zhipeng Huo
- Senior Security Researcher, Tencent Security Xuanwu Lab
Zhipeng Huo is a senior security researcher at Tencent. His focus includes Windows security features, browsers, COM, RPC, ALPC, sandboxes and more.
He has published researches on sandbox escape with security software and other third party software.
-
Chuanda Ding
- Senior Security Researcher, Tencent Security Xuanwu Lab
Chuanda Ding is a senior security researcher on Windows platform security.
He spoke at DEF CON China 2018, CanSecWest 2017, CanSecWest 2016 and QCon Beijing 2016.
-
Wei Wei
- Security Researcher, Tencent Security Xuanwu Lab
Wei Wei is a security researcher at Tencent. He has three years of security research and development experience. He focused on security research about privilege escalation and application sandboxes, and reported various bugs to Microsoft, Adobe inc., HP inc. and Google inc. in the last three years. He has published researches on Windows platform security features such as Return Flow Guard, privilege escalation and remote code execution in third-party software such as HP and Lenovo products.
Links:
Similar Presentations: