Open
Bug 1306406
(injecteject)
Opened 8 years ago
Updated 2 years ago
[Meta] Mitigations for DLL Injection
Categories
(Toolkit :: Startup and Profile System, defect, P2)
Tracking
()
NEW
People
(Reporter: bugzilla, Unassigned)
References
(Depends on 5 open bugs, )
Details
(Keywords: meta)
I'm going to be spending Q4 2016 working on improving stability as it relates to DLL injection and other issues created by antivirus software.
This is a meta bug for tracking issues specifically related to the former.
Reporter | ||
Comment 1•8 years ago
|
||
This is from an email that I wrote to blassey:
I definitely agree that safe mode should be the most aggressive with both kernel-supported (Windows 8 and newer only, sadly) as well as user-mode mitigations. I have lots of ideas about this:
1) We should enable the "extension points" mitigation. That will disable AppInit_DLLs, Windows Hooks, a11y hooks and such (See also bug 1291353). Other injection mechanisms such as CreateRemoteThread() are more difficult to mitigate (though I have some extremist ideas about how to handle that, too)...
2) We could also enable the "require Microsoft-signed DLLs" mitigation with the caveat that it must be temporarily switched off whenever we load our own DLLs. Obviously that opens a window for abuse, but it would be quite effective for process startup injections (the ESET bug comes to mind here).
3) Make safe mode turn the blocklist into a whitelist where we only allow dlls that are either ours or part of the OS. Probably ineffective against a sufficiently motivated attacker, but more than adequate to deal with non-malicious third-parties;
4) I also think that we might want to consider grabbing call stacks of third-party dll injections and feeding them into telemetry. Since we've already hooked into the loader, we could easily do a stackwalk at that time (but only for third-party libs). Having a better understanding of the injected DLL's mechanism of attack would be beneficial for the purposes of developing mitigations.
Updated•8 years ago
|
Priority: -- → P2
Updated•7 years ago
|
Updated•7 years ago
|
Depends on: sandbox-parent
Reporter | ||
Updated•7 years ago
|
No longer depends on: sandbox-parent
Updated•6 years ago
|
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•