Posted by Ivan Fratric, Project Zero
With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or modify existing executable memory. The goal of this is to make it more difficult for an attacker who already gained some capabilities in the browser’s Content Process to execute arbitrary code.
We analyzed ACG and tried to answer the question of how useful this mitigation is going to be in preventing an attacker from exploiting Microsoft Edge. Additionally, we examined the implementation of the JIT server and uncovered multiple issues in it (that have been fixed at the time of publishing this). While the paper focuses on Microsoft Edge, we believe that any other attempt to implement out-of-process JIT would encounter similar problems. Thus we hope that this work would be useful for other vendors who might consider employing similar mitigations.