Cutting Edge: Microsoft Browser Security — From People Who Owned It

Conference:  BlackHat EU 2018



The presentation discusses the security architecture of Microsoft Edge and how to escape its sandbox through design flaws in its components and features.
  • Microsoft Edge has a more secure security architecture than its predecessor, Internet Explorer.
  • Inter-process communication mechanisms and interactions between processes and components are needed to attack the entire browser.
  • Abusing design flaws in components and features can lead to bug chains for escaping the sandbox.
  • Logical bugs are a result of bad design decisions from the beginning.
  • A deeper understanding of the target software is necessary to find logical bugs.
  • The presentation thanks Alex Ionescu and James Forshaw for their contributions to the field.
The presentation provides a detailed explanation of how to escape the Microsoft Edge sandbox through a combination of programming logic, operating system internals, reverse engineering, and creative thinking. The speaker emphasizes the importance of understanding the target software and the need to find logical bugs that are a result of bad design decisions. The presentation also acknowledges the contributions of Alex Ionescu and James Forshaw to the field of cybersecurity.


Microsoft Edge, the new default browser for Windows 10, is heavily sandboxed. In fact, it is probably the only browser with its main process running inside a sandbox. Microsoft even goes to great length to design and implement platform security features exclusively for Microsoft Edge.In this talk, we will take a deep dive into the Microsoft Edge security architecture. This includes sandbox initialization, browser broker implementation, inter-process communication, and renderer security isolation. We will present two logical sandbox escape bug chain consists of three bugs for Microsoft Edge, one of which we've used in Pwn2Own, and the other two are completely new. They are entirely different from memory corruption bugs, as all we've done is abusing normal features implemented in the browser and operating system.