Diving Into IE 10’s Enhanced Protected Mode Sandbox at Black Hat Asia 2014

If you’re using Internet Explorer in immersive mode on Windows 8/8.1 to browse Internet web sites, under the hood, your browser will be running inside the Enhanced Protected Mode sandbox. Enhanced Protected Mode (EPM) is the sandboxing mechanism in IE that attempts to prevent a successful remote exploit from installing persistent malware and from stealing personal/sensitive information.

Enhanced Protected Mode was first introduced in IE 10 on Windows 8 and it is the improved version of the Protected Mode sandbox first introduced in IE 7 on Windows Vista. And as with other security features in widely deployed software, it is important to understand how the EPM sandbox works and assess its effectiveness.

Next week, I’ll be presenting my EPM sandbox research at Black Hat Asia 2014 in Singapore. In my talk, I’ll be discussing the internals of the EPM sandbox which includes the sandbox restrictions in place and the different components that make up of the EPM sandbox. I’ll then cover sandbox security where I’ll be discussing its limitations/weaknesses and the potential vectors for sandbox escape. And finally, I’ll wrap up by demonstrating a live EPM sandbox escape!

If you’re at Black Hat Asia next week, please drop by at my talk! (Briefings Day 2 – March 28, 9:00 am, Begonia 3011)

(Stay tuned after my Black Hat Asia presentation for a follow up post which will summarize my findings.)

About the presentation

Diving Into IE 10’s Enhanced Protected Mode Sandbox

With the release of Internet Explorer 10 in Windows 8, an improved version of IE’s Protected Mode sandbox, called Enhanced Protected Mode (EPM), was introduced. With the use of the new AppContainer process isolation mechanism introduced in Windows 8, EPM aims to further limit the impact of a successful IE compromise by limiting both read and write access and limiting the capabilities of the sandboxed IE process.

As with other new security features integrated in widely deployed software, it is just prudent to look at how EPM works internally and also evaluate its effectiveness. This presentation aims to provide both by delving deep into the internals and assessing the security of IE 10’s Enhanced Protected Mode sandbox.

The first part of this presentation will focus on the inner workings of the EPM sandbox where topics such as the sandbox restrictions in place, the inter-process communication mechanism in use, the services exposed by the higher-privileged broker process, and more are discussed. The second part of this presentation will cover the security aspect of the EPM sandbox where its limitations are assessed and potential avenues for sandbox escape are discussed.

Finally, in the end of the presentation, an EPM sandbox escape exploit will be demonstrated. The details of the underlying vulnerability, including the thought process that went through in discovering it will also be discussed.

Mark Yason

Security Researcher, IBM X-Force

Mark Vincent Yason is a security researcher on IBM’s X-Force Advanced Research team. Mark’s current focus area is...