Closed Bug 1824964 Opened 2 years ago Closed 2 years ago

Enable Export Address Filtering (EAF) or EAF+ (stronger protection) exploit protection

Categories

(Core :: Security: Process Sandboxing, enhancement)

Product:
Core
Component:
Security: Process Sandboxing
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1509748

People

(Reporter: Tom25519, Unassigned)

Details

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide#export-address-filtering

Export address filtering

Description

Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects three commonly attacked modules:

  • ntdll.dll
  • kernelbase.dll
  • kernel32.dll

The mitigation protects the memory page in the [export directory that points to the export address table. This memory page will have the PAGE_GUARD protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.

Compatibility considerations

This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.

Configuration options

Validate access for modules that are commonly abused by exploits - This option, also known as EAF+, adds protections for other commonly attacked modules:

mshtml.dll
flash*.ocx
jscript*.ocx
vbscript.dll
vgx.dll
mozjs.dll
xul.dll
acrord32.dll
acrofx32.dll
acroform.api

Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the DOS header in a PE file, which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.

Summary: Enable Export Address Filtering (EAF) or EAF+ (stronger protection) → Enable Export Address Filtering (EAF) or EAF+ (stronger protection) exploit protection
Component: Security → Security: Process Sandboxing
Product: Firefox → Core

This mitigation is primarily an issue for applications such as debuggers, sandboxed applications,

We are a sandboxed application, and EAF / EAF+ are known to cause various compatibility issues, including in the sandboxing and DLL blocking code itself. We worked around some of them but generally strongly dis-recommend to enable those because the behavior can change at any time and completely stop the browser from working. It's the same for Chrome, AFAIK. There's a lot of discussion in the original bug so I'll just dupe this here, but it's essentially WONTFIX.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1509748
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.