MJ0011 is a security researcher and the general manager in the Department of Core Security at Qihoo360. He leads the vulnerability research team 360Vulcan which has achieved hundreds of CVEs from Microsoft/Apple/Adobe and won the targets of Pwn2Own2015/2016.
Yuki Chen is a security research fellow at Qihoo360 and also a core member in 360Vulcan Team. Together with the 360Vulcan Team in Pwn2Own 2016 and 2015 competition, they have succeeded in breaking multiple targets, such as IE, Chrome and Flash and so on. Yuki has over 7 years experiences in the field of information security, and is now leading a team to work on finding security vulnerabilities at Qihoo360. His specialty is on security vulnerability digging and analysis, and developmental area employment. In addition, he has found more than 100 high-risk security vulnerabilities from mainstream browsers, Adobe Flash, PDF, Java and other applications. Meanwhile, his talks have been given in Syscan, Syscan360, 44Con, XCon, BlackHat EU, HITCON and other related security conferences.
[Abstract]
==========
With the aim of "Building a safer browser", Microsoft keeps adding security improvements to their Edge Brower. As one of the most important exploit mitigation technique in Edge browser, the sandbox also keeps involving.
Last year we have discussed the security features of Microsoft Edge as well as a critical bug inside Edge sandbox that could escape from its “safer” sandbox. As a year went by, Microsoft did more works on improving the security of the sandbox and our escape researches are also continue following.
In Windows 10 annual update RS1, we have seen many new security features been added to the Edge sandbox, such as disabling child process creation, plugin isolation, win32k filter and so on.
In this presentation, we will first go through the important sandbox improvements added in Windows 10 RS1. We will introduce the mechanism of the new security features in Edge sandbox by analyzing how they are implemented, and we will also discuss how those new features can make Edge sandbox stronger, then we will go through the attack surfaces of the Edge sandbox, mainly focusing on OS kernel APIs and sandbox/system RPC calls.
For each attack surface, we will introduce some real bugs (including the kernel bugs we used in this year's pwn2own contest) and show how we exploit those bugs to escape from the sandbox.
We will also introduce the fuzzing tool we used to find RPC bugs in the Edge and some interesting bugs that we found by that tool.