OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/win/src/process_mitigations.h" | |
6 | |
7 #include <stddef.h> | |
8 | |
9 #include <algorithm> | |
10 | |
11 #include "base/win/windows_version.h" | |
12 #include "sandbox/win/src/nt_internals.h" | |
13 #include "sandbox/win/src/restricted_token_utils.h" | |
14 #include "sandbox/win/src/sandbox_rand.h" | |
15 #include "sandbox/win/src/win_utils.h" | |
16 | |
17 namespace { | |
18 | |
19 // Functions for enabling policies. | |
20 typedef BOOL (WINAPI *SetProcessDEPPolicyFunction)(DWORD dwFlags); | |
21 | |
22 typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)( | |
23 PROCESS_MITIGATION_POLICY mitigation_policy, | |
24 PVOID buffer, | |
25 SIZE_T length); | |
26 | |
27 typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)( | |
28 DWORD DirectoryFlags); | |
29 | |
30 } // namespace | |
31 | |
32 namespace sandbox { | |
33 | |
34 bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) { | |
35 if (!CanSetProcessMitigationsPostStartup(flags)) | |
36 return false; | |
37 | |
38 base::win::Version version = base::win::GetVersion(); | |
39 HMODULE module = ::GetModuleHandleA("kernel32.dll"); | |
40 | |
41 if (flags & MITIGATION_DLL_SEARCH_ORDER) { | |
42 SetDefaultDllDirectoriesFunction set_default_dll_directories = | |
43 reinterpret_cast<SetDefaultDllDirectoriesFunction>( | |
44 ::GetProcAddress(module, "SetDefaultDllDirectories")); | |
45 | |
46 // Check for SetDefaultDllDirectories since it requires KB2533623. | |
47 if (set_default_dll_directories) { | |
48 if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) && | |
49 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
50 return false; | |
51 } | |
52 } | |
53 } | |
54 | |
55 // Set the heap to terminate on corruption | |
56 if (flags & MITIGATION_HEAP_TERMINATE) { | |
57 if (!::HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, | |
58 NULL, 0) && | |
59 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
60 return false; | |
61 } | |
62 } | |
63 | |
64 if (flags & MITIGATION_HARDEN_TOKEN_IL_POLICY) { | |
65 DWORD error = HardenProcessIntegrityLevelPolicy(); | |
66 if ((error != ERROR_SUCCESS) && (error != ERROR_ACCESS_DENIED)) | |
67 return false; | |
68 } | |
69 | |
70 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | |
71 if (flags & MITIGATION_DEP) { | |
72 DWORD dep_flags = PROCESS_DEP_ENABLE; | |
73 | |
74 if (flags & MITIGATION_DEP_NO_ATL_THUNK) | |
75 dep_flags |= PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION; | |
76 | |
77 SetProcessDEPPolicyFunction set_process_dep_policy = | |
78 reinterpret_cast<SetProcessDEPPolicyFunction>( | |
79 ::GetProcAddress(module, "SetProcessDEPPolicy")); | |
80 if (set_process_dep_policy) { | |
81 if (!set_process_dep_policy(dep_flags) && | |
82 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
83 return false; | |
84 } | |
85 } else | |
86 return false; | |
87 } | |
88 #endif | |
89 | |
90 // This is all we can do in Win7 and below. | |
91 if (version < base::win::VERSION_WIN8) | |
92 return true; | |
93 | |
94 SetProcessMitigationPolicyFunction set_process_mitigation_policy = | |
95 reinterpret_cast<SetProcessMitigationPolicyFunction>( | |
96 ::GetProcAddress(module, "SetProcessMitigationPolicy")); | |
97 if (!set_process_mitigation_policy) | |
98 return false; | |
99 | |
100 // Enable ASLR policies. | |
101 if (flags & MITIGATION_RELOCATE_IMAGE) { | |
102 PROCESS_MITIGATION_ASLR_POLICY policy = {}; | |
103 policy.EnableForceRelocateImages = true; | |
104 policy.DisallowStrippedImages = (flags & | |
105 MITIGATION_RELOCATE_IMAGE_REQUIRED) == | |
106 MITIGATION_RELOCATE_IMAGE_REQUIRED; | |
107 | |
108 if (!set_process_mitigation_policy(ProcessASLRPolicy, &policy, | |
109 sizeof(policy)) && | |
110 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
111 return false; | |
112 } | |
113 } | |
114 | |
115 // Enable strict handle policies. | |
116 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { | |
117 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {}; | |
118 policy.HandleExceptionsPermanentlyEnabled = | |
119 policy.RaiseExceptionOnInvalidHandleReference = true; | |
120 | |
121 if (!set_process_mitigation_policy(ProcessStrictHandleCheckPolicy, &policy, | |
122 sizeof(policy)) && | |
123 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
124 return false; | |
125 } | |
126 } | |
127 | |
128 // Enable system call policies. | |
129 if (flags & MITIGATION_WIN32K_DISABLE) { | |
130 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {}; | |
131 policy.DisallowWin32kSystemCalls = true; | |
132 | |
133 if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy, | |
134 sizeof(policy)) && | |
135 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
136 return false; | |
137 } | |
138 } | |
139 | |
140 // Enable dll extension policies. | |
141 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { | |
142 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | |
143 policy.DisableExtensionPoints = true; | |
144 | |
145 if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, | |
146 &policy, sizeof(policy)) && | |
147 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
148 return false; | |
149 } | |
150 } | |
151 | |
152 if (version < base::win::VERSION_WIN10) | |
153 return true; | |
154 | |
155 // Enable font policies. | |
156 if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { | |
157 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; | |
158 policy.DisableNonSystemFonts = true; | |
159 | |
160 if (!set_process_mitigation_policy(ProcessFontDisablePolicy, &policy, | |
161 sizeof(policy)) && | |
162 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
163 return false; | |
164 } | |
165 } | |
166 | |
167 if (version < base::win::VERSION_WIN10_TH2) | |
168 return true; | |
169 | |
170 // Enable image load policies. | |
171 if (flags & MITIGATION_IMAGE_LOAD_NO_REMOTE || | |
172 flags & MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) { | |
173 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
174 if (flags & MITIGATION_IMAGE_LOAD_NO_REMOTE) | |
175 policy.NoRemoteImages = true; | |
176 if (flags & MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) | |
177 policy.NoLowMandatoryLabelImages = true; | |
178 | |
179 if (!set_process_mitigation_policy(ProcessImageLoadPolicy, &policy, | |
180 sizeof(policy)) && | |
181 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
182 return false; | |
183 } | |
184 } | |
185 | |
186 return true; | |
187 } | |
188 | |
189 void ConvertProcessMitigationsToPolicy(MitigationFlags flags, | |
190 DWORD64* policy_flags, | |
191 size_t* size) { | |
192 base::win::Version version = base::win::GetVersion(); | |
193 | |
194 *policy_flags = 0; | |
195 #if defined(_WIN64) | |
196 *size = sizeof(*policy_flags); | |
197 #elif defined(_M_IX86) | |
198 // A 64-bit flags attribute is illegal on 32-bit Win 7 and below. | |
199 if (version < base::win::VERSION_WIN8) | |
200 *size = sizeof(DWORD); | |
201 else | |
202 *size = sizeof(*policy_flags); | |
203 #else | |
204 #error This platform is not supported. | |
205 #endif | |
206 | |
207 // DEP and SEHOP are not valid for 64-bit Windows | |
208 #if !defined(_WIN64) | |
209 if (flags & MITIGATION_DEP) { | |
210 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE; | |
211 if (!(flags & MITIGATION_DEP_NO_ATL_THUNK)) | |
212 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE; | |
213 } | |
214 | |
215 if (flags & MITIGATION_SEHOP) | |
216 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE; | |
217 #endif | |
218 | |
219 // Win 7 | |
220 if (version < base::win::VERSION_WIN8) | |
221 return; | |
222 | |
223 if (flags & MITIGATION_RELOCATE_IMAGE) { | |
224 *policy_flags |= | |
225 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON; | |
226 if (flags & MITIGATION_RELOCATE_IMAGE_REQUIRED) { | |
227 *policy_flags |= | |
228 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ
_RELOCS; | |
229 } | |
230 } | |
231 | |
232 if (flags & MITIGATION_HEAP_TERMINATE) { | |
233 *policy_flags |= | |
234 PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON; | |
235 } | |
236 | |
237 if (flags & MITIGATION_BOTTOM_UP_ASLR) { | |
238 *policy_flags |= | |
239 PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON; | |
240 } | |
241 | |
242 if (flags & MITIGATION_HIGH_ENTROPY_ASLR) { | |
243 *policy_flags |= | |
244 PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON; | |
245 } | |
246 | |
247 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { | |
248 *policy_flags |= | |
249 PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON; | |
250 } | |
251 | |
252 if (flags & MITIGATION_WIN32K_DISABLE) { | |
253 *policy_flags |= | |
254 PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON; | |
255 } | |
256 | |
257 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { | |
258 *policy_flags |= | |
259 PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON; | |
260 } | |
261 | |
262 if (version < base::win::VERSION_WIN10) | |
263 return; | |
264 | |
265 if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { | |
266 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON; | |
267 } | |
268 | |
269 if (version < base::win::VERSION_WIN10_TH2) | |
270 return; | |
271 | |
272 if (flags & MITIGATION_IMAGE_LOAD_NO_REMOTE) { | |
273 *policy_flags |= | |
274 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON; | |
275 } | |
276 | |
277 if (flags & MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) { | |
278 *policy_flags |= | |
279 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON; | |
280 } | |
281 } | |
282 | |
283 MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags) { | |
284 base::win::Version version = base::win::GetVersion(); | |
285 | |
286 // Windows 7. | |
287 if (version < base::win::VERSION_WIN8) { | |
288 return flags & (MITIGATION_BOTTOM_UP_ASLR | | |
289 MITIGATION_DLL_SEARCH_ORDER | | |
290 MITIGATION_HEAP_TERMINATE); | |
291 } | |
292 | |
293 // Windows 8 and above. | |
294 return flags & (MITIGATION_BOTTOM_UP_ASLR | | |
295 MITIGATION_DLL_SEARCH_ORDER); | |
296 } | |
297 | |
298 bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process, | |
299 MitigationFlags flags) { | |
300 // This is a hack to fake a weak bottom-up ASLR on 32-bit Windows. | |
301 #if !defined(_WIN64) | |
302 if (flags & MITIGATION_BOTTOM_UP_ASLR) { | |
303 unsigned int limit; | |
304 GetRandom(&limit); | |
305 char* ptr = 0; | |
306 const size_t kMask64k = 0xFFFF; | |
307 // Random range (512k-16.5mb) in 64k steps. | |
308 const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k); | |
309 while (ptr < end) { | |
310 MEMORY_BASIC_INFORMATION memory_info; | |
311 if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info))) | |
312 break; | |
313 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, | |
314 static_cast<SIZE_T>(end - ptr)); | |
315 if (ptr && memory_info.State == MEM_FREE) | |
316 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); | |
317 ptr += size; | |
318 } | |
319 } | |
320 #endif | |
321 | |
322 return true; | |
323 } | |
324 | |
325 bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) { | |
326 // All of these mitigations can be enabled after startup. | |
327 return !( | |
328 flags & | |
329 ~(MITIGATION_HEAP_TERMINATE | | |
330 MITIGATION_DEP | | |
331 MITIGATION_DEP_NO_ATL_THUNK | | |
332 MITIGATION_RELOCATE_IMAGE | | |
333 MITIGATION_RELOCATE_IMAGE_REQUIRED | | |
334 MITIGATION_BOTTOM_UP_ASLR | | |
335 MITIGATION_STRICT_HANDLE_CHECKS | | |
336 MITIGATION_EXTENSION_DLL_DISABLE | | |
337 MITIGATION_DLL_SEARCH_ORDER | | |
338 MITIGATION_HARDEN_TOKEN_IL_POLICY | | |
339 MITIGATION_WIN32K_DISABLE | | |
340 MITIGATION_NONSYSTEM_FONT_DISABLE | | |
341 MITIGATION_IMAGE_LOAD_NO_REMOTE | | |
342 MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)); | |
343 } | |
344 | |
345 bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) { | |
346 // These mitigations cannot be enabled prior to startup. | |
347 return !(flags & (MITIGATION_STRICT_HANDLE_CHECKS | | |
348 MITIGATION_DLL_SEARCH_ORDER)); | |
349 } | |
350 | |
351 } // namespace sandbox | |
352 | |
OLD | NEW |