Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(91)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/process_mitigations.cc

Issue 10690058: Add sandbox support for Windows process mitigations (Closed) Base URL: https://src.chromium.org/svn/trunk/src/
Patch Set: Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« sandbox/win/sandbox_win.gypi ('K') | « sandbox/win/src/process_mitigations.h ('k') | sandbox/win/src/process_mitigations_test.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/process_mitigations.h"
6
7 #include "base/win/windows_version.h"
8 #include "sandbox/win/src/nt_internals.h"
9 #include "sandbox/win/src/sandbox_policy.h"
10 #include "sandbox/win/src/sandbox_utils.h"
11 #include "sandbox/win/src/win_utils.h"
12
13 namespace {
14
15 // Functions for enabling policies.
16 typedef BOOL (WINAPI *SetProcessDEPPolicyFunction)(DWORD dwFlags);
17
18 typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)(
19 PROCESS_MITIGATION_POLICY mitigation_policy,
20 PVOID buffer,
21 SIZE_T length);
22
23 typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)(
24 DWORD DirectoryFlags);
25
26 } // namespace
27
28 namespace sandbox {
29
30 bool SetProcessMitigationsForCurrentProcess(uint64 flags) {
31 if (!CanSetProcessMitigationsPostStartup(flags))
32 return false;
33
34 HMODULE module = ::GetModuleHandleW(L"kernel32.dll");
cpu_(ooo_6.6-7.5) 2012/09/07 19:22:55 use the Ansi version. This one of the rare cases w
jschuh 2012/09/07 20:23:14 Done.
35
36 // We can't apply anything before Win XP, so just return cleanly.
37 if (!IsXPSP2OrLater())
38 return true;
39
40 if (flags & TargetPolicy::MITIGATION_DLL_SEARCH_ORDER) {
41 SetDefaultDllDirectoriesFunction set_default_dll_directories =
42 reinterpret_cast<SetDefaultDllDirectoriesFunction>(
43 ::GetProcAddress(module, "SetDefaultDllDirectories"));
44
45 // Check for SetDefaultDllDirectories since it requires KB2533623.
46 if (set_default_dll_directories) {
47 if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS))
48 return false;
49 }
50 }
51
52 base::win::Version version = base::win::GetVersion();
53
54 // Set the heap to terminate on corruption
55 if (flags & TargetPolicy::MITIGATION_HEAP_TERMINATE) {
56 if (!::HeapSetInformation(NULL, HeapEnableTerminationOnCorruption,
57 NULL, 0))
58 return false;
59 }
60
61 #ifndef _WIN64 // DEP is always enabled on 64-bit.
62 if (flags & TargetPolicy::MITIGATION_DEP) {
63 DWORD dep_flags = PROCESS_DEP_ENABLE;
64
65 if (flags & TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK)
66 dep_flags |= PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION;
67
68 SetProcessDEPPolicyFunction set_process_dep_policy =
69 reinterpret_cast<SetProcessDEPPolicyFunction>(
70 ::GetProcAddress(module, "SetProcessDEPPolicy"));
71 if (set_process_dep_policy) {
72 if (!set_process_dep_policy(dep_flags) &&
73 ERROR_ACCESS_DENIED != ::GetLastError()) {
74 return false;
75 }
76 } else {
77 // We're on XP sp2, so use the less standard approach.
78 // For reference: http://www.uninformed.org/?v=2&a=4
79 const int MEM_EXECUTE_OPTION_ENABLE = 1;
80 const int MEM_EXECUTE_OPTION_DISABLE = 2;
81 const int MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4;
82 const int MEM_EXECUTE_OPTION_PERMANENT = 8;
83
84 NtSetInformationProcessFunction set_information_process = NULL;
85 ResolveNTFunctionPtr("NtSetInformationProcess",
86 &set_information_process);
87 if (!set_information_process)
88 return false;
89 ULONG dep = MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT;
90 if (!(dep_flags & PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION))
91 dep |= MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION;
92 if (!SUCCEEDED(set_information_process(GetCurrentProcess(),
93 ProcessExecuteFlags,
94 &dep, sizeof(dep))) &&
95 ERROR_ACCESS_DENIED != ::GetLastError()) {
96 return false;
97 }
98 }
99 }
100 #endif
101
cpu_(ooo_6.6-7.5) 2012/09/07 19:22:55 line 52 can move down here?
jschuh 2012/09/07 20:23:14 Done.
102 // This is all we can do in Win7 and below
cpu_(ooo_6.6-7.5) 2012/09/07 19:22:55 period
jschuh 2012/09/07 20:23:14 Done.
103 if (version < base::win::VERSION_WIN8)
104 return true;
105
106 // Load the Win8 API on demand.
cpu_(ooo_6.6-7.5) 2012/09/07 19:22:55 remove comment line 106
jschuh 2012/09/07 20:23:14 Done.
107 SetProcessMitigationPolicyFunction set_process_mitigation_policy =
108 reinterpret_cast<SetProcessMitigationPolicyFunction>(
109 ::GetProcAddress(module, "SetProcessMitigationPolicy"));
110 if (!set_process_mitigation_policy)
111 return false;
112
113 // Enable ASLR policies.
114 if (flags & TargetPolicy::MITIGATION_RELOCATE_IMAGE) {
115 PROCESS_MITIGATION_ASLR_POLICY policy = { 0 };
116 policy.EnableForceRelocateImages = true;
117 policy.DisallowStrippedImages = (flags &
118 TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED) ==
119 TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED;
120
121 if (!set_process_mitigation_policy(ProcessASLRPolicy, &policy,
122 sizeof(policy)) &&
123 ERROR_ACCESS_DENIED != ::GetLastError()) {
124 return false;
125 }
126 }
127
128 // Enable strict handle policies.
129 if (flags & TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS) {
130 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = { 0 };
131 policy.HandleExceptionsPermanentlyEnabled =
132 policy.RaiseExceptionOnInvalidHandleReference = true;
133
134 if (!set_process_mitigation_policy(ProcessStrictHandleCheckPolicy, &policy,
135 sizeof(policy)) &&
136 ERROR_ACCESS_DENIED != ::GetLastError()) {
137 return false;
138 }
139 }
140
141 // Enable system call policies.
142 if (flags & TargetPolicy::MITIGATION_WIN32K_DISABLE) {
143 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = { 0 };
144 policy.DisallowWin32kSystemCalls = true;
145
146 if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy,
147 sizeof(policy)) &&
148 ERROR_ACCESS_DENIED != ::GetLastError()) {
149 return false;
150 }
151 }
152
153 // Enable system call policies.
154 if (flags & TargetPolicy::MITIGATION_EXTENSION_DLL_DISABLE) {
155 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = { 0 };
156 policy.DisableExtensionPoints = true;
157
158 if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy,
159 &policy, sizeof(policy)) &&
160 ERROR_ACCESS_DENIED != ::GetLastError()) {
161 return false;
162 }
163 }
164
165 return true;
166 }
167
168 DWORD64 GetProcessMitigationPolicyFlags(uint64 flags) {
169 base::win::Version version = base::win::GetVersion();
170
171 // Nothing for Win XP
172 if (version < base::win::VERSION_VISTA)
173 return 0;
174
175 DWORD64 real_flags = 0;
176 if (flags & TargetPolicy::MITIGATION_DEP) {
177 real_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE;
178 if (!(flags & TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK))
179 real_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE;
180 }
181
182 if (flags & TargetPolicy::MITIGATION_SEHOP)
183 real_flags |= PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE;
184
185 // Win 7 and Vista
186 if (version < base::win::VERSION_WIN8)
187 return real_flags;
188
189 if (flags & TargetPolicy::MITIGATION_RELOCATE_IMAGE) {
190 real_flags |=
191 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON;
192 if (flags & TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED) {
193 real_flags |=
194 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ _RELOCS;
195 }
196 }
197
198 if (flags & TargetPolicy::MITIGATION_HEAP_TERMINATE)
199 real_flags |= PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON;
200
201 if (flags & TargetPolicy::MITIGATION_BOTTOM_UP_ASLR)
202 real_flags |= PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON;
203
204 if (flags & TargetPolicy::MITIGATION_HIGH_ENTROPY_ASLR) {
205 real_flags |=
206 PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON;
207 }
208
209 if (flags & TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS) {
210 real_flags |=
211 PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON;
212 }
213
214 if (flags & TargetPolicy::MITIGATION_WIN32K_DISABLE) {
215 real_flags |=
216 PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON;
217 }
218
219 if (flags & TargetPolicy::MITIGATION_EXTENSION_DLL_DISABLE) {
220 real_flags |=
221 PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON;
222 }
223
224 // Windows 8
225 return real_flags;
226 }
227
228 uint64 GetPostStartupProcessMitigations(uint64 flags) {
229 base::win::Version version = base::win::GetVersion();
230
231 // Windows XP SP2
cpu_(ooo_6.6-7.5) 2012/09/07 19:22:55 use IsXPSP2OrLater()? or maybe the comment is wron
jschuh 2012/09/07 20:23:14 Done.
232 if (version < base::win::VERSION_VISTA) {
233 return flags & (TargetPolicy::MITIGATION_DEP |
234 TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK);
235
236 // Windows 7 and Vista
237 } else if (version < base::win::VERSION_WIN8) {
238 return flags & (TargetPolicy::MITIGATION_BOTTOM_UP_ASLR |
239 TargetPolicy::MITIGATION_DLL_SEARCH_ORDER |
240 TargetPolicy::MITIGATION_HEAP_TERMINATE);
241 }
242
243 // Windows 8 and above.
244 return flags & (TargetPolicy::MITIGATION_BOTTOM_UP_ASLR |
245 TargetPolicy::MITIGATION_DLL_SEARCH_ORDER);
246 }
247
248 bool SetProcessMitigationsForSuspendedProcess(HANDLE process, uint64 flags) {
249 // This is a hack to fake a weak bottom-up ASLR on 32-bit Windows.
250 #ifndef _WIN64
251 if (flags & TargetPolicy::MITIGATION_BOTTOM_UP_ASLR) {
252 unsigned int limit;
253 rand_s(&limit);
254 char* ptr = 0;
255 const size_t kMask64k = 0xFFFF;
256 // Random range (512k-16.5mb) in 64k steps.
257 const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k);
258 while (ptr < end) {
259 MEMORY_BASIC_INFORMATION memory_info;
260 if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
261 break;
262 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
263 static_cast<SIZE_T>(end - ptr));
264 if (ptr && memory_info.State == MEM_FREE)
265 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
266 ptr += size;
267 }
268 }
269 #endif
270
271 return true;
272 }
273
274 bool CanSetProcessMitigationsPostStartup(uint64 flags) {
275 // All of these can be set after startup.
276 return !(flags & ~(TargetPolicy::MITIGATION_HEAP_TERMINATE |
277 TargetPolicy::MITIGATION_DEP |
278 TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK |
279 TargetPolicy::MITIGATION_RELOCATE_IMAGE |
280 TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED |
281 TargetPolicy::MITIGATION_BOTTOM_UP_ASLR |
282 TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS |
283 TargetPolicy::MITIGATION_WIN32K_DISABLE |
284 TargetPolicy::MITIGATION_EXTENSION_DLL_DISABLE));
285 }
286
287 bool CanSetProcessMitigationsPreStartup(uint64 flags) {
288 // These flags must be set after startup.
cpu_(ooo_6.6-7.5) 2012/09/07 19:22:55 comment seems wrong, also the function instead of
289 return !(flags & (TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS |
290 TargetPolicy::MITIGATION_WIN32K_DISABLE |
291 TargetPolicy::MITIGATION_DLL_SEARCH_ORDER));
292 }
293
294 } // namespace sandbox
295
OLDNEW
« sandbox/win/sandbox_win.gypi ('K') | « sandbox/win/src/process_mitigations.h ('k') | sandbox/win/src/process_mitigations_test.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698