May 11th, 2015
With Microsoft Edge, we want to fundamentally improve security over existing browsers and enable users to confidently experience the web from Windows. We have designed Microsoft Edge to defend users from increasingly sophisticated and prevalent attacks.
This post covers some of the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques developed in close partnership with Windows.
Web Security Threats
While the web is predominantly a safe environment, some sites are designed to steal money and personal information. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking:
- Trickery: in real life, a “con man” will use tricks to take advantage of a victim, e.g. “got two 10s for a 5?” On the web, attackers will try to fool victims using things like “phishing” attacks that convince a user to enter their banking password into a web site that looks like their bank, but isn’t.
- Hacking: in real life, a mugger might assault you and take your money, or a burglar might break into your home and steal your valuables. On the web, attackers present a victim’s browser with malformed content intended to exploit subtle flaws in your browser, or in various extensions your browser uses, such as video decoders. This lets the attacker run their code on the victim’s computer, taking over first their browsing session, and perhaps ultimately the entire computer.
These are threats faced by every browser. Let’s explore how Microsoft Edge addresses these threats and is helping make the web a safer experience.
Defend Users Against Trickery
A web browser can help defend a user against trickery by identifying and blocking known tricks, and by using strong security protocols to ensure that you are talking to the web site you think you are talking to. Here are some of the ways that Microsoft Edge helps achieve this.
Stronger, More Convenient Credentials
One of the most common ways to attack users is phishing: enticing the user into entering their password into a fake version of a web site that they trust. Attempts to uniquely identify legitimate web sites, such as through the original HTTPS lock symbol, and more recently with the EV Cert green bar, have met with only limited success: attackers are just too good at faking a legitimate experience to expect most users to notice the difference.
To really defend against this requires removing the need for users to enter plain-text passwords into web sites. Instead, Windows 10 provides Microsoft Passport technology with asymmetric cryptography to authenticate you to your web sites. Windows 10 will also offer the most convenient way to unlock your device and access your Microsoft Passport, providing a truly seamless experience that is more secure than today’s world of complicated passwords.
Defending Against Malicious Web Sites and Downloads
Microsoft SmartScreen, originally introduced in IE8, is supported in Microsoft Edge and by the Windows 10 Shell. SmartScreen defends users against phishing sites by performing a reputation check on sites the browser visits, blocking sites that are thought to be phishing sites. Similarly, SmartScreen in both the browser and the Windows Shell defends users against socially-engineered downloads of malicious software to users being tricked into installing malicious software.
Defending Against Fake Sites with Certificate Reputation
Users have learned to trust sites that use encrypted web traffic. Unfortunately, that trust can be undermined when malicious sites use improperly obtained or fraudulent certificates to impersonate legitimate sites. Last year we announced Certificate Reputation – recently we have extended this system by allowing web developers to use the Bing Webmaster Tools report directly to alert Microsoft to fraudulent certificates.
As we announced recently, Microsoft Edge hosts a new rendering engine, Microsoft EdgeHTML. This engine is focused on modern web standards, allowing web developers to build and maintain one consistent site that supports all modern browsers. This greatly simplifies the hard work of building first class web sites, allowing more time and energy for web developers to focus on reliability and security rather than the complexities of interoperability.
Microsoft EdgeHTML helps in defending against “con man” attacks using new security features in the W3C and IETF standards:
- Support for the W3C standard for Content Security Policy helping developers everywhere defend their sites from XSS (Cross-Site Scripting) attacks in a cross-browser manner.
- Support for HTTP Strict Transport Security helping ensure that connections to important sites, like your Bank, are always secured.
Defending the Browser Against Hacking
Microsoft Edge does more than facilitate standards compatibility and users with defenses against trickery. It also includes a major overhaul of the DOM representation in the browser’s memory, making the browser’s code more resistant to “burglar” attacks that attempt to subvert the browser.
But Microsoft Edge has done more than just re-write the rendering engine. Here we describe the security mitigations baked into the Microsoft Edge browser.
Moving to a more secure extension model
Microsoft introduced ActiveX in 1996, part of a wave of support for web browser extensions, enabling 3rd parties to experiment with various forms of alternate content on the web. However, browser extensions come at a cost of security and reliability: binary extensions bring code and data into the browser’s process, with no protection at all, and so anything that goes wrong or is vulnerable in the extension can also take down or compromise the browser itself. It is rather similar to building a sun porch onto your house without locking the door to the sunporch: it is all too easy for a burglar to break into the sun porch, and from there loot the rest of your house.
So to make browsers safer against attacks, and just more reliable, it is important to create an extension model that is safer, by sharing less state between the browser itself and the extensions. Thus Microsoft Edge provides no support for VML, VB Script, Toolbars, BHOs, or ActiveX. The need for such extensions is significantly reduced by the rich capabilities of HTML5, and using HTML5 results in sites that are interoperable across browsers.
To enable extensibility beyond what is provided by HTML5, we are working on plans for a modern, HTML/JS-based extension model. We look forward to sharing more details on these plans, including guidance on migrating your scenarios from ActiveX controls to modern standards and extensions in the coming months.
Microsoft Edge is an App
The largest change in Microsoft Edge security is that the new browser is a Universal Windows app. This fundamentally changes the process model, so that both the outer manager process, and the assorted content processes, all live within app container sandboxes. This provides the user and the platform with the confidence provided by other Windows store apps.
App Container Sandbox by Default
IE7 on Windows Vista was the first web browser to provide a browsing sandbox, called protected mode, where the part of the browser that renders the web content runs with less privilege than the browser controls (e.g. the back button) and the user do. This provides the user with a level of protection should a malicious web site exploit a bug in the browser or one of its plugins, in that the attacker is now stuck inside the sandbox and does not have full access to all of the user’s resources.
IE7’s protected mode was built on Vista’s mandatory integrity control, which provides a degree of protection, but is limited. IE10 introduced EPM (Enhanced Protected Mode) based on Windows 8’s app container sandbox. EPM provided a much stronger sandbox than protected mode, including for example deny-by-default and no-read-up semantics. EPM was on by default in the immersive browser, but was only an option on the desktop in IE10 and IE11 because some browser extensions are not compatible with EPM.
Microsoft Edge is rebooting our browser extension model, allowing it to run its content processes in app containers, not just as a default, but all the time. Thus every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows.
64-bit By Default
Microsoft Edge is also 64-bit, not just by default, but at all times when running on a 64-bit processor. 64-bit processes in general, and browser processes in particular, get significant security advantages by making Windows ASLR (Address Space Layout Randomization) stronger.
Attackers want to inject malicious code into your browser process via a coding bug, and then execute their malicious code. ASLR makes that harder by randomizing the memory layout of the process, making it hard for attackers to hit precise memory locations to achieve their ends. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger, making it much more difficult for attackers to find the sensitive memory components they need.
Defending Against Memory Corruption
Memory corruption is a class of vulnerability so common that it deserves special attention. It is endemic to applications written in C/C++, because the programming language does not provide type safety or buffer overflow protection. Broadly speaking, memory corruption attacks involve the attacker providing malformed input to a program that the program does not handle properly, resulting first in corruption of the program’s memory state, and subsequently in the attacker gaining control of the program. A broad variety of memory corruption mitigations have been devised since the mid-1990s, and in the 2000s Microsoft has lead the way with advances including ASLR, DEP, and SeHOP.
As these mitigations have rolled out, attackers have adapted, inventing new forms of attack. Microsoft in turn has responded with new memory safety defenses that mitigate the most common new forms of attack, including and especially use-after-free vulnerabilities.
MemGC (Memory Garbage Collector) is a memory garbage collection system that seeks to defend the browser from UAF (Use-after-free) vulnerabilities by taking responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation has detected that there are no more references left pointing to a given block of memory.
Control Flow Guard
The end-game in memory-corruption is for the attacker to gain control of the CPU program counter, and jump to a code location of the attacker’s choice. CFG (Control Flow Guard) is a Microsoft Visual Studio technology that compiles checks around code that does indirect jumps based on a pointer, restricting these jumps to only jump to function entry points that have had their address taken. This makes attacker take-over of a program much more difficult by severely constraining where a memory corruption attack can jump to.
These new memory safety protections have been enabled and shipped out to Windows and IE users over the last year, and are on all the time in Microsoft Edge.
Despite all efforts, there will be security vulnerabilities in Microsoft Edge that we do not yet know about. To minimize customer impact, we will be offering a Windows 10 Technical Preview Browser Bug Bounty program, intended to incent security researchers to report browser vulnerabilities to Microsoft during the Technical Preview period rather than after Microsoft Edge ships as a general use product. Security researchers interested in the bounty program should look here for more information.
Security Is A Process, Not A Destination
Microsoft Edge is a brand new browser, with new goals and requirements. This has allowed us to include these security enhancements, both brand new security features, and moving older opt-in features to be always-on. For this reason, we believe Microsoft Edge will be the most secure web browser that Microsoft has ever shipped. As security is a process, not a destination, we will continue to work on browser security improvements. Let us know what you think in the comments below or @MSEdgeDev.
– Crispin Cowan, Senior Program Manager, Microsoft Edge
[Corrected on 5/11 at 5:35 PM to reflect that Protected Mode was introduced in IE7 on Windows Vista, not Windows 7.]