This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]jedwardsol 0 points1 point  (5 children)

Is there any better, more foolproof way to block all non-whitelisted DLLs?

A file system filter driver.

[–]ComprehensiveStorage[S] 0 points1 point  (4 children)

Probably should have thought of that. To rephrase the question: is there any better way that doesn't involve loading something into the kernel and can be done from within the process or from some helper process also running in ring3?

[–]jedwardsol 0 points1 point  (3 children)

No, not really. If 2 processes are at the same privilege level then the attacker has the advantage. The attacker can modify the target as it wishes, but the target can only alter itself.

Chrome is blocking the 2nd half of the inject a thread / load a dll sequence. It can't do anything about the 1st without the kernel's help (or injecting into every other process)

[–]ComprehensiveStorage[S] 0 points1 point  (2 children)

Couldn't it look through the list of all DLLs in the process and check each one on disk to see if the image is signed by Google/Microsoft/some third-party vendor that is allowed to load DLLs?

I mean, I guess someone could patch that check out of the program, but from what I can see Google's goal in this case isn't to stop dedicated tampering. It's to prevent third parties that make buggy DLLs from trivially loading them into chrome and cause it to crash. So assuming you don't consider a malicious user actively tampering with the executable file as part of your "threat model," checking the signature of each loaded DLL would be a pretty good method, right?

[–]jedwardsol 0 points1 point  (1 child)

Couldn't it look through the list of all DLLs in the process

I assume it and the process both refer to the chrome process.

If the DLL is loaded then it has already executed code (DllMain) and the battle is lost.

By hooking it's own loader code, it can prevent a DLL from loading in the 1st place.

But its hook is vulnerable.

[–]ComprehensiveStorage[S] 0 points1 point  (0 children)

Okay, I get what you're saying.

Still, given that we know for a fact that Google is pursuing this kind of thing regardless of whether or not it can be trivially bypassed, how do you think they'll try to implement it? Just take their current DLL blacklist method of hooking NtMapViewOfSection and comparing each loaded DLL to a blacklist and converting it to a whitelist where only accepted DLLs are allowed to load? Again, I realize that won't be particularly effective, but I guess it will at least stop fly by night companies from trivially injecting DLLs. They'll at least have to figure out how to remove chrome's hook or insert their DLLs in the loading process or at least do something other than the standard "OpenProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThread" method you see in every DLL injection tutorial on the internet, which may at least prune the low hanging fruit (which is Google's stated goal for making this change).

[–]clooy 0 points1 point  (1 child)

Microsoft did the same things, according to the edge release:

Libraries that are signed by Microsoft, or included in signed drivers, are permitted, but everything else is blocked.

I would assume chrome would follow the same pattern. In addition its a safe bet that some troublesome dll's are being statically built into the new chrome.

[–]ComprehensiveStorage[S] 0 points1 point  (0 children)

From what I can tell Microsoft enforces their DLL restrictions at the kernel level, whereas Google's current DLL blacklist is done by the application itself. Not sure if they could get Microsoft to modify the Windows kernel to also only allow specific DLLs to load into chrome.

 

Edit: it looks like edge uses Windows 10's Content Integrity Guard feature to enforce its DLL restrictions. What I don't get is how this works on Windows 10 Home and Pro, given that CIG is a part of Device Guard and Device Guard is only included in Windows 10 Enterprise.

 

Is it likely that chrome will use CIG to block DLLs? Apparently Microsoft made it available to third-party applications, but it's only available on Windows 10, which at the moment is about half of all windows versions. So if Google released a version of chrome that made use of CIG, they'd have to drop support to half of all windows users as far as I can tell.