Chromium‎ > ‎Chromium Security‎ > ‎

Chromium and EMET


After Chromium revision 254340, Visual Studio 2013 is the only supported build chain for Chromium on Windows. Unfortunately, we have observed compatibility problems with Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Chromium compiled on Windows using Visual Studio 2013.


EMET is a security tool provided by Microsoft to improve exploit-resistance of software running on Windows. Enterprises and users can deploy EMET on systems and configure which applications are protected by it. EMET then injects code into the selected processes that adds protection against common exploit techniques, typically causing the process to terminate if behavior is detected that appears to indicate an attack.


In particular, Google Chrome 35 is built for Windows using VS 2013 and is not compatible with EMET.


Compatibility issue


Some applications cannot run with EMET protections because they have internal behavior that, to EMET, resembles an exploit in progress. This does not mean the applications are dangerous or are doing anything harmful to the user. In this case EMET causes the application to unexpectedly terminate even though no actual attack conditions are present.


The specific issue we have encountered with Chromium compiled using VS 2013 relates to tail-call optimizations in wrapper functions for Windows APIs. By using jmp to enter the Windows API call from the wrapper, the Visual Studio compiler avoids an additional call/ret pair, and the API would return directly into the wrapper function’s caller rather than the wrapper function itself. However, EMET protects various ‘critical’ Windows APIs against an exploit technique known as Return-Oriented Programming (ROP), and one of these protections is incompatible with tail-call optimization. EMET’s code checks that the return address from the API call is immediately preceded by a call to that API, since in ROP exploits this will typically not be the case but in normal function calls it will. The tail-call optimization violates EMET’s assumption and causes a false positive result for exploit detection.


Like many EMET protections, this can be bypassed by exploit writers who are aware of EMET’s functionality. However, it can be effective against EMET-unaware exploits.


Fix and Workaround


We are in contact with Microsoft to investigate and address this problem, since the incompatibility is between code emitted by Microsoft’s compiler and a check in Microsoft’s security software. Microsoft currently is recommending that the EMET caller mitigation not be enabled for Chrome.


Users


In the meantime, users experiencing this problem with Chrome or Chromium-based browsers can resolve the issue by either:

  • Removing the browser from the list of applications monitored by EMET, or

  • Disabling the caller mitigation setting specifically for the browser


The Chrome security team does not generally recommend the use of EMET with Chromium because it has negative performance impact and adds no security benefit in most situations. The most effective anti-exploit techniques that EMET provides are already built into Chromium or superseded by stronger mitigations.



EMET Protection

Benefit to Chromium

Forcing Data Execution Prevention

None, Chromium builds with this already enabled.

Forcing Address Space Layout Randomization

None, Chromium builds with this already enabled.

Structured Exception Handling Overwrite Protection

None, Chromium enables OS SEHOP when it is available. EMET can add SEHOP on Windows versions where it is not available, but this is not compatible with Chromium running on Windows Vista or older.

Heap Spray Page Reservation

This can protect Chromium from some exploits, but can also be trivially bypassed by exploit writers who are aware of EMET protections.

Export Address Table access filtering

This can protect Chromium from some exploits, but can also be bypassed by exploit writers who are aware of EMET protections.

ROP chain detection and prevention

This can protect Chromium from some exploits, but can also be bypassed by exploit writers who are aware of EMET protections.




Comments