OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/win/src/process_mitigations.h" |
| 6 |
| 7 #include "base/win/windows_version.h" |
| 8 #include "sandbox/win/src/nt_internals.h" |
| 9 #include "sandbox/win/src/sandbox_utils.h" |
| 10 #include "sandbox/win/src/win_utils.h" |
| 11 |
| 12 namespace { |
| 13 |
| 14 // Functions for enabling policies. |
| 15 typedef BOOL (WINAPI *SetProcessDEPPolicyFunction)(DWORD dwFlags); |
| 16 |
| 17 typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)( |
| 18 PROCESS_MITIGATION_POLICY mitigation_policy, |
| 19 PVOID buffer, |
| 20 SIZE_T length); |
| 21 |
| 22 typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)( |
| 23 DWORD DirectoryFlags); |
| 24 |
| 25 } // namespace |
| 26 |
| 27 namespace sandbox { |
| 28 |
| 29 bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) { |
| 30 if (!CanSetProcessMitigationsPostStartup(flags)) |
| 31 return false; |
| 32 |
| 33 // We can't apply anything before Win XP, so just return cleanly. |
| 34 if (!IsXPSP2OrLater()) |
| 35 return true; |
| 36 |
| 37 HMODULE module = ::GetModuleHandleA("kernel32.dll"); |
| 38 |
| 39 if (flags & MITIGATION_DLL_SEARCH_ORDER) { |
| 40 SetDefaultDllDirectoriesFunction set_default_dll_directories = |
| 41 reinterpret_cast<SetDefaultDllDirectoriesFunction>( |
| 42 ::GetProcAddress(module, "SetDefaultDllDirectories")); |
| 43 |
| 44 // Check for SetDefaultDllDirectories since it requires KB2533623. |
| 45 if (set_default_dll_directories) { |
| 46 if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS)) |
| 47 return false; |
| 48 } |
| 49 } |
| 50 |
| 51 // Set the heap to terminate on corruption |
| 52 if (flags & MITIGATION_HEAP_TERMINATE) { |
| 53 if (!::HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, |
| 54 NULL, 0)) |
| 55 return false; |
| 56 } |
| 57 |
| 58 #if !defined(_WIN64) // DEP is always enabled on 64-bit. |
| 59 if (flags & MITIGATION_DEP) { |
| 60 DWORD dep_flags = PROCESS_DEP_ENABLE; |
| 61 |
| 62 if (flags & MITIGATION_DEP_NO_ATL_THUNK) |
| 63 dep_flags |= PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION; |
| 64 |
| 65 SetProcessDEPPolicyFunction set_process_dep_policy = |
| 66 reinterpret_cast<SetProcessDEPPolicyFunction>( |
| 67 ::GetProcAddress(module, "SetProcessDEPPolicy")); |
| 68 if (set_process_dep_policy) { |
| 69 if (!set_process_dep_policy(dep_flags) && |
| 70 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 71 return false; |
| 72 } |
| 73 } else { |
| 74 // We're on XP sp2, so use the less standard approach. |
| 75 // For reference: http://www.uninformed.org/?v=2&a=4 |
| 76 const int MEM_EXECUTE_OPTION_ENABLE = 1; |
| 77 const int MEM_EXECUTE_OPTION_DISABLE = 2; |
| 78 const int MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4; |
| 79 const int MEM_EXECUTE_OPTION_PERMANENT = 8; |
| 80 |
| 81 NtSetInformationProcessFunction set_information_process = NULL; |
| 82 ResolveNTFunctionPtr("NtSetInformationProcess", |
| 83 &set_information_process); |
| 84 if (!set_information_process) |
| 85 return false; |
| 86 ULONG dep = MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT; |
| 87 if (!(dep_flags & PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION)) |
| 88 dep |= MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION; |
| 89 if (!SUCCEEDED(set_information_process(GetCurrentProcess(), |
| 90 ProcessExecuteFlags, |
| 91 &dep, sizeof(dep))) && |
| 92 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 93 return false; |
| 94 } |
| 95 } |
| 96 } |
| 97 #endif |
| 98 |
| 99 // This is all we can do in Win7 and below. |
| 100 base::win::Version version = base::win::GetVersion(); |
| 101 if (version < base::win::VERSION_WIN8) |
| 102 return true; |
| 103 |
| 104 SetProcessMitigationPolicyFunction set_process_mitigation_policy = |
| 105 reinterpret_cast<SetProcessMitigationPolicyFunction>( |
| 106 ::GetProcAddress(module, "SetProcessMitigationPolicy")); |
| 107 if (!set_process_mitigation_policy) |
| 108 return false; |
| 109 |
| 110 // Enable ASLR policies. |
| 111 if (flags & MITIGATION_RELOCATE_IMAGE) { |
| 112 PROCESS_MITIGATION_ASLR_POLICY policy = { 0 }; |
| 113 policy.EnableForceRelocateImages = true; |
| 114 policy.DisallowStrippedImages = (flags & |
| 115 MITIGATION_RELOCATE_IMAGE_REQUIRED) == |
| 116 MITIGATION_RELOCATE_IMAGE_REQUIRED; |
| 117 |
| 118 if (!set_process_mitigation_policy(ProcessASLRPolicy, &policy, |
| 119 sizeof(policy)) && |
| 120 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 121 return false; |
| 122 } |
| 123 } |
| 124 |
| 125 // Enable strict handle policies. |
| 126 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { |
| 127 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = { 0 }; |
| 128 policy.HandleExceptionsPermanentlyEnabled = |
| 129 policy.RaiseExceptionOnInvalidHandleReference = true; |
| 130 |
| 131 if (!set_process_mitigation_policy(ProcessStrictHandleCheckPolicy, &policy, |
| 132 sizeof(policy)) && |
| 133 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 134 return false; |
| 135 } |
| 136 } |
| 137 |
| 138 // Enable system call policies. |
| 139 if (flags & MITIGATION_WIN32K_DISABLE) { |
| 140 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = { 0 }; |
| 141 policy.DisallowWin32kSystemCalls = true; |
| 142 |
| 143 if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy, |
| 144 sizeof(policy)) && |
| 145 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 146 return false; |
| 147 } |
| 148 } |
| 149 |
| 150 // Enable system call policies. |
| 151 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { |
| 152 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = { 0 }; |
| 153 policy.DisableExtensionPoints = true; |
| 154 |
| 155 if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, |
| 156 &policy, sizeof(policy)) && |
| 157 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 158 return false; |
| 159 } |
| 160 } |
| 161 |
| 162 return true; |
| 163 } |
| 164 |
| 165 void ConvertProcessMitigationsToPolicy(MitigationFlags flags, |
| 166 DWORD64* policy_flags, size_t* size) { |
| 167 base::win::Version version = base::win::GetVersion(); |
| 168 |
| 169 *policy_flags = 0; |
| 170 #if defined(_WIN64) |
| 171 *size = sizeof(*policy_flags); |
| 172 #elif defined(_M_IX86) |
| 173 // A 64-bit flags attribute is illegal on 32-bit Win 7 and below. |
| 174 if (version < base::win::VERSION_WIN8) |
| 175 *size = sizeof(DWORD); |
| 176 else |
| 177 *size = sizeof(*policy_flags); |
| 178 #else |
| 179 #error This platform is not supported. |
| 180 #endif |
| 181 |
| 182 // Nothing for Win XP or Vista. |
| 183 if (version <= base::win::VERSION_VISTA) |
| 184 return; |
| 185 |
| 186 if (flags & MITIGATION_DEP) { |
| 187 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE; |
| 188 if (!(flags & MITIGATION_DEP_NO_ATL_THUNK)) |
| 189 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE; |
| 190 } |
| 191 |
| 192 if (flags & MITIGATION_SEHOP) |
| 193 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE; |
| 194 |
| 195 // Win 7 |
| 196 if (version < base::win::VERSION_WIN8) |
| 197 return; |
| 198 |
| 199 if (flags & MITIGATION_RELOCATE_IMAGE) { |
| 200 *policy_flags |= |
| 201 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON; |
| 202 if (flags & MITIGATION_RELOCATE_IMAGE_REQUIRED) { |
| 203 *policy_flags |= |
| 204 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ
_RELOCS; |
| 205 } |
| 206 } |
| 207 |
| 208 if (flags & MITIGATION_HEAP_TERMINATE) { |
| 209 *policy_flags |= |
| 210 PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON; |
| 211 } |
| 212 |
| 213 if (flags & MITIGATION_BOTTOM_UP_ASLR) { |
| 214 *policy_flags |= |
| 215 PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON; |
| 216 } |
| 217 |
| 218 if (flags & MITIGATION_HIGH_ENTROPY_ASLR) { |
| 219 *policy_flags |= |
| 220 PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON; |
| 221 } |
| 222 |
| 223 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { |
| 224 *policy_flags |= |
| 225 PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON; |
| 226 } |
| 227 |
| 228 if (flags & MITIGATION_WIN32K_DISABLE) { |
| 229 *policy_flags |= |
| 230 PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON; |
| 231 } |
| 232 |
| 233 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { |
| 234 *policy_flags |= |
| 235 PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON; |
| 236 } |
| 237 } |
| 238 |
| 239 MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags) { |
| 240 // Anything prior to XP SP2. |
| 241 if (!IsXPSP2OrLater()) |
| 242 return 0; |
| 243 |
| 244 base::win::Version version = base::win::GetVersion(); |
| 245 |
| 246 // Windows XP SP2+. |
| 247 if (version < base::win::VERSION_VISTA) { |
| 248 return flags & (MITIGATION_DEP | |
| 249 MITIGATION_DEP_NO_ATL_THUNK); |
| 250 |
| 251 // Windows Vista |
| 252 if (version < base::win::VERSION_WIN7) { |
| 253 return flags & (MITIGATION_DEP | |
| 254 MITIGATION_DEP_NO_ATL_THUNK | |
| 255 MITIGATION_BOTTOM_UP_ASLR | |
| 256 MITIGATION_DLL_SEARCH_ORDER | |
| 257 MITIGATION_HEAP_TERMINATE); |
| 258 } |
| 259 |
| 260 // Windows 7 and Vista. |
| 261 } else if (version < base::win::VERSION_WIN8) { |
| 262 return flags & (MITIGATION_BOTTOM_UP_ASLR | |
| 263 MITIGATION_DLL_SEARCH_ORDER | |
| 264 MITIGATION_HEAP_TERMINATE); |
| 265 } |
| 266 |
| 267 // Windows 8 and above. |
| 268 return flags & (MITIGATION_BOTTOM_UP_ASLR | |
| 269 MITIGATION_DLL_SEARCH_ORDER); |
| 270 } |
| 271 |
| 272 bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process, |
| 273 MitigationFlags flags) { |
| 274 // This is a hack to fake a weak bottom-up ASLR on 32-bit Windows. |
| 275 #if !defined(_WIN64) |
| 276 if (flags & MITIGATION_BOTTOM_UP_ASLR) { |
| 277 unsigned int limit; |
| 278 rand_s(&limit); |
| 279 char* ptr = 0; |
| 280 const size_t kMask64k = 0xFFFF; |
| 281 // Random range (512k-16.5mb) in 64k steps. |
| 282 const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k); |
| 283 while (ptr < end) { |
| 284 MEMORY_BASIC_INFORMATION memory_info; |
| 285 if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info))) |
| 286 break; |
| 287 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, |
| 288 static_cast<SIZE_T>(end - ptr)); |
| 289 if (ptr && memory_info.State == MEM_FREE) |
| 290 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); |
| 291 ptr += size; |
| 292 } |
| 293 } |
| 294 #endif |
| 295 |
| 296 return true; |
| 297 } |
| 298 |
| 299 bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) { |
| 300 // All of these mitigations can be enabled after startup. |
| 301 return !(flags & ~(MITIGATION_HEAP_TERMINATE | |
| 302 MITIGATION_DEP | |
| 303 MITIGATION_DEP_NO_ATL_THUNK | |
| 304 MITIGATION_RELOCATE_IMAGE | |
| 305 MITIGATION_RELOCATE_IMAGE_REQUIRED | |
| 306 MITIGATION_BOTTOM_UP_ASLR | |
| 307 MITIGATION_STRICT_HANDLE_CHECKS | |
| 308 MITIGATION_WIN32K_DISABLE | |
| 309 MITIGATION_EXTENSION_DLL_DISABLE | |
| 310 MITIGATION_DLL_SEARCH_ORDER)); |
| 311 } |
| 312 |
| 313 bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) { |
| 314 // These mitigations cannot be enabled prior to startup. |
| 315 return !(flags & (MITIGATION_STRICT_HANDLE_CHECKS | |
| 316 MITIGATION_WIN32K_DISABLE | |
| 317 MITIGATION_DLL_SEARCH_ORDER)); |
| 318 } |
| 319 |
| 320 } // namespace sandbox |
| 321 |
OLD | NEW |