Mark Vincent Yason (Security Researcher, IBM X-Force)
PRESENTATION TITLE: Diving Into IE 10′s Enhanced Protected Mode Sandbox
PRESENTATION ABSTRACT:
With the release of Internet Explorer 10 in Windows 8, an improved version of IE’s Protected Mode sandbox, called Enhanced Protected Mode (EPM), was introduced. With the use of the new AppContainer process isolation mechanism introduced in Windows 8, EPM aims to further limit the impact of a successful IE compromise by limiting both read and write access and limiting the capabilities of the sandboxed IE process.
As with other new security features integrated in widely-deployed software, it is just prudent to look at how EPM works internally and also evaluate its effectiveness. This presentation aims to provide both by delving deep into the internals and assessing the security of IE 10’s Enhanced Protected Mode sandbox.
The first part of this presentation will focus on the inner workings of the EPM sandbox where topics such as the sandbox restrictions in place, the inter-process communication mechanism in use, the services exposed by the higher-privileged broker process, and more are discussed. The second part of this presentation will cover the security aspect of the EPM sandbox where its limitations are assessed and potential avenues for sandbox escape are discussed.
Finally, in the end of the presentation, an EPM sandbox escape exploit will be demonstrated. The details of the underlying vulnerability, including the thought process that went through in discovering it will also be discussed.
ABOUT MARK VINCENT YASON
Mark Vincent Yason is a security researcher on IBM’s X-Force Advanced Research team. Mark’s current focus area is vulnerability and exploit research – he analyzes known vulnerabilities, discovers new vulnerabilities, studies exploitation techniques, and creates detection guidance/algorithms which are used in the development of IDS/IPS signatures. He also previously worked on malware research which naturally involved some degree of software protection research. He authored the paper “The Art of Unpacking” and co-authored the papers “Reversing C++”, “Playing In The Reader X Sandbox” and “Digging Deep Into The Flash Sandboxes”.