Opened 4 years ago

Last modified 13 months ago

#12820 assigned project

Test+Recommend Tor Browser with MS EMET (Enhanced Mitigation Experience Toolkit)

Reported by: mikeperry Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, tbb-isec-report, GeorgKoppen201610, TorBrowserTeam201610, ff52-esr
Cc: gk, mcs, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The Enhanced Mitigation Experience Tookit is a Microsoft tool for further hardening selected applications against exploitation. We should test it with Tor Browser to see if it impacts functionality in any way, and if not, we should consider recommending it somewhere prominently for our Windows users.

https://support.microsoft.com/kb/2458544

Child Tickets

TicketStatusOwnerSummaryComponent
#13893reopenedgkTorbrowser crashes on start when using MS EMET 5.xApplications/Tor Browser

Change History (28)

comment:1 Changed 4 years ago by gk

Cc: gk added

comment:2 Changed 4 years ago by erinn

Status: newaccepted

comment:3 Changed 4 years ago by mcs

Cc: mcs added

comment:4 Changed 4 years ago by mikeperry

Keywords: tbb-isec-report added; isec-audit removed

comment:5 Changed 4 years ago by cypherpunks

I have been using EMET with Tor Browser (Firefox) for about a year. I haven't experienced any problem.

My current firefox (tor browser) configuration includes latest EMET 5.0 with the new EAF+ feature. The following is from the Popular Software.xml that comes with EMET. This code is applied on top of the default protection rules which is already defined in the xml files. I think to enter specific EAF+ modules, it must be imported from an xml file, because there isn't a place to enter the eaf modules on the GUI, only checkboxes.

  <Vendor Name="Mozilla">
    <Suite Name="FireFox" Arch="x86">
      <App Name="Browser" Path="*\Mozilla Firefox\firefox.exe">
        <Mitigation Name="EAF+" Enabled="true">
          <eaf_modules>mozjs.dll;xul.dll</eaf_modules>
        </Mitigation>
      </App>
      <App Name="Plugin container" Path="*\Mozilla Firefox\plugin-container.exe"/>
    </Suite>
  </Vendor>

Since I'm ok with using wildcards on EMET for most exes, this is the code from my edited xml which supports all firefox instances including (multiple and/or simultaneous) Tor Browsers.

  <Vendor Name="Mozilla">
    <Suite Name="FireFox" Arch="x86">
      <App Name="Browser" Path="*\firefox.exe">
        <Mitigation Name="EAF+" Enabled="true">
          <eaf_modules>mozjs.dll;xul.dll</eaf_modules>
        </Mitigation>
      </App>
      <App Name="Plugin container" Path="*\plugin-container.exe"/>
    </Suite>
  </Vendor>

You could recommend Path="*\Browser\firefox.exe" if your goal is to specify only Tor Browser. Path="*\Tor Browser\Browser\firefox.exe" wouldn't be useful because user could have changed the folder name.

I also have been using and never encountered a problem with *\tor.exe and *\Start Tor Browser.exe and *\obfsproxy.exe. I also added other pl. transports' exes but didn't try them, I guess it would work fine.

Is there anything else (eaf+ and asr modules) that could be added to above rules to further harden System Tor or Bundled Tor or Tor Browser?

Last edited 4 years ago by cypherpunks (previous) (diff)

comment:6 Changed 4 years ago by cypherpunks

Currently, ROP Simulate Execution Flow (SimExecFlow) does not work with Tor Browser 4.5.1, 4.5, and the last 4.0 release (4.0.8?). The last time it worked was in the 3.5 series if I remember correctly (and possibly one of the first 4.0 releases). Please note I am talking about releases, I have never tested any betas.

Turning SimExecFlow off for *\Tor Browser\Browser\firefox.exe fixes the problem. *\tor.exe and *\Tor Browser\Browser\plugin-container.exe work fine with it enabled. I have not tested *\Start Tor Browser.exe or *\obfsproxy.exe.

I run other versions of Firefox (64-bit nightly, 64-bit beta, 32-bit release, 32-bit release with DRM removed, portable firefox) and these work fine with SimExecFlow on. I have not tested any ESR, however.

I have also not tested running Tor Browser in safe mode.

All other mitigations work fine (be sure to add "mozjs.dll;xul.dll" without quotes to the EAF+ mitigation).

comment:7 in reply to:  6 Changed 4 years ago by gk

Replying to cypherpunks:

Currently, ROP Simulate Execution Flow (SimExecFlow) does not work with Tor Browser 4.5.1, 4.5, and the last 4.0 release (4.0.8?). The last time it worked was in the 3.5 series if I remember correctly (and possibly one of the first 4.0 releases). Please note I am talking about releases, I have never tested any betas.

Yes, this is #13893. Would you be willing to help us tracking down this problem? That would be really great. If so, the first question would be what is the first version that breaks? Older versions are at https://archive.torproject.org/tor-package-archive/torbrowser/. It seems we know that 4.0.1 and later are affected.

comment:8 Changed 3 years ago by bugzilla

Component: Tor bundles/installationTor Browser
Severity: Major
Summary: Test+Recommend Tor Browser with Enhanced Mitigation Experience ToolkitTest+Recommend Tor Browser with MS EMET (Enhanced Mitigation Experience Toolkit)

comment:9 Changed 3 years ago by cypherpunks

I use

<EMET Version="5.5.5871.31890">
  <EMET_Apps>
    <AppConfig Path="*\Browser" Executable="firefox.exe">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="true">
        <eaf_modules>mozjs.dll;xul.dll</eaf_modules>
      </Mitigation>
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll</asr_modules>
      </Mitigation>
    </AppConfig>
    <AppConfig Path="*\Browser" Executable="plugin-container.exe">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="true" />
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll</asr_modules>
      </Mitigation>
    </AppConfig>
    <AppConfig Path="*\Tor" Executable="tor.exe">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="true" />
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="false" />
    </AppConfig>
  </EMET_Apps>
</EMET>

and this doesn't work for firefox :(, but works for Tor.

I lso worrying about the fact that MS EMET is a proprietary software (though its .Net part is quite analyzable)

comment:10 Changed 3 years ago by gk

Keywords: TorBrowserTeam201606 GeorgKoppen201606 added

comment:11 Changed 3 years ago by gk

Sponsor: SponsorU

comment:12 Changed 3 years ago by gk

Owner: changed from erinn to gk
Status: acceptedassigned

comment:13 Changed 2 years ago by gk

Keywords: GeorgKoppen201607 added; GeorgKoppen201606 removed

Moving my tickets

comment:14 Changed 2 years ago by gk

Keywords: TorBrowserTeam201607 added; TorBrowserTeam201606 removed

comment:15 Changed 2 years ago by gk

Keywords: TorBrowserTeam201608 added; TorBrowserTeam201607 removed

Moving items to August 2016.

comment:16 Changed 2 years ago by gk

Keywords: GeorgKoppen201608 added; GeorgKoppen201607 removed

Moving my tickets as well.

comment:17 Changed 2 years ago by gk

Keywords: GeorgKoppen201609 added; GeorgKoppen201608 removed

Moving my tickets

comment:18 Changed 2 years ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:19 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added

comment:20 Changed 2 years ago by gk

Keywords: GeorgKoppen201610 added; GeorgKoppen201609 removed

Moving my tickets

comment:21 Changed 2 years ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving SponsorU items to October.

comment:22 Changed 2 years ago by gk

Keywords: ff52-esr added
Sponsor: SponsorU

comment:23 Changed 2 years ago by bugzilla

As you see, configurations of EMET in

All other mitigations work fine (be sure to add "mozjs.dll;xul.dll" without quotes to the EAF+ mitigation).

and comment:9 are different. So you need a proper one to

Test+Recommend

But it's not ready until ticket:18935#comment:24 gets fixed.

comment:24 in reply to:  23 Changed 20 months ago by bugzilla

But it's not ready until ticket:18935#comment:24 gets fixed.

M$ fixed its bug in EMET 5.52.

comment:25 Changed 20 months ago by cypherpunks

I have been using EMET with Tor Browser for years and my main problem is that sometimes it crashes with the "Caller" mitigation, the moment the window opens where you choose the location for saving files. It usually happens when there are many tabs open, but I'm not sure if that's related to the crash. I also use MBAE

Last edited 20 months ago by cypherpunks (previous) (diff)

comment:26 in reply to:  25 Changed 20 months ago by cypherpunks

Replying to cypherpunks:

I have been using EMET with Tor Browser for years and my main problem is that sometimes it crashes with the "Caller" mitigation, the moment the window opens where you choose the location for saving files. It usually happens when there are many tabs open, but I'm not sure if that's related to the crash. I also use MBAE

What OS version? What Tor Browser version (actually, 7.0a3 is relevant now, and EMET 5.52, of course)? No other security software when testing, please (because of interference).

Last edited 20 months ago by cypherpunks (previous) (diff)

comment:27 Changed 20 months ago by cypherpunks

Windows 7 SP1 x64 and many Tor Browser versions over the years, it has been happening for a long time, I don't even know if Firefox would be different as I don't use it. I can try disabling MBAE protections for a while but I doubt it would make a difference

Note: See TracTickets for help on using tickets.