USING EMET TO DEFEND AGAINST
TARGETED ATTACKS
PRESENTED BY
ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION
WHOAMI
• Robert Hensing
• 15 year Microsoft veteran
• Developed original versions of W.O.L.F. and AutoDump+ (tools used by Customer Support
for Incident Response and Debugging respectively)
• Trustworthy Computing Division alumni
•
•
•
5 year tour in MSRC Engineering – Defense team
Co-Developed GUT (swiss army knife hex editor / fuzzer / vulnerability detection framework)
Co-Developed a technique that uses the Windows shim engine to mitigate vulnerable code via
‘Shimpatches’ (as featured in recent IE Security Advisories)
• Currently a boring C# Developer Consultant in National Security Group practice
•
I used to be somebody. 
TRUSTWORTHY COMPUTING - SECURITY
CENTERS
Protecting Microsoft customers throughout the entire life cycle
(in development, deployment and operations)
Microsoft Security
Response Center
(MSRC)
Conception
Ecosystem Strategy
MSRC Ops
Product Life Cycle
MSRC Engineering
Microsoft Malware
Protection Center
(MMPC)
Microsoft Security
Engineering Center
(MSEC)
SDL
Security Assurance
Security Science
Release
THE SOFTWARE VULNERABILITY ASYMMETRY
PROBLEM
Defender must fix all vulnerabilities in all software – attacker
wins by finding and exploiting just one vulnerability
Threats change over time – state-of-the-art in vulnerability
finding and attack techniques changes over time
Patch deployment takes time – vendor must offset risks to
stability & compatibility, customer waits for servicing cycle
Result: Attackers only have to find one vulnerability, and they get to use it for a
really long time.
EXPLOIT ECONOMICS
Attacker
Return
=
Gains per use
X
Opportunities
to use
-
Cost to acquire
vulnerability
+
Cost to weaponize
5
EXPLOIT ECONOMICS
We can decrease Attacker Return if we are able to…
Increase attacker investment required to find usable vulnerabilities
• Remove entire classes of vulnerabilities where possible
• Focus on automation to scale human efforts
Increase attacker investment required to write reliable exploits
• Build mitigations that add brittleness
• Make exploits impossible to write completely reliably
Decrease attacker’s opportunity to recover their investment
• Shrink window of vulnerability
• Fewer opportunities via artificial diversity
• Enable rapid detection & suppression of exploit usage
Desired Result: Usable attacks will be rare and require significant engineering;
working exploits will become scarce and valuable
Exploit Economics Strategy – Step 1
INCREASE ATTACKER INVESTMENT
REQUIRED TO FIND VULNERABILITIES
7
EMBEDDING SECURITY INTO SOFTWARE
AND CULTURE
Tactics for Vulnerability Reduction
Remove entire classes of vulnerabilities
•
•
Security Tooling
Additional product features
Ongoing Process Improvements
Remove all currently findable vulnerabilities
•
Complete automation of tooling
•
•
•
•
SDL tools, Threat Modeling tool
Fuzzing toolsets + ways to streamline & improve triage
Tool overlays to increase signal-to-noise and focus attention on the right code
Verification & enforcement
•
•
Audit individual tool usage via process tools
Process tools required for SDL signoff - policy enforcement
Exploit Economics Strategy – Step 2
PREVENT RELIABLE EXPLOITATION OF
VULNERABILITIES
EMBEDDING SECURITY INTO SOFTWARE
AND CULTURE
Tactics to Frustrate Exploits
Reduce the surface we have to defend
•
Attack surface reduction
•
Design additional product mitigations
Ongoing Process Improvements
Make remaining vulnerabilities difficult or impossible to exploit
•
Build mitigations that add exploit brittleness
DIGITAL COUNTERMEASURES
• Improve system survivability against exploitation of
unknown vulnerabilities
• Three goals:
• Increase attacker requirements – e.g. must be
authenticated, local subnet only
• Deterrent – no economically reliable exploit exists
• Mitigation – Break 100% reliable universal exploits
• Often must be combined together
• Even when successful, the result is still impactful to the
user
11
MITIGATION APPROACHES
Utilize Knowledge Deficits
•
•
•
Utilize secrets such that guessing impairs exploit reliability
/GS: Protect stack buffers by checking random cookies placed
between them and control structures
Function Pointer Encoding
Artificial Diversity
ASLR: Address Space Layout Randomization
Enforce Invariants
Data Execute Protection (DEP)
Heap & pool metadata checks
SafeSEH / SEH Overwrite Protection (SEHOP)
12
MEMORY SAFETY MITIGATIONS ROADMAP
/GS 1.0 /GS 1.1
Stack
/GS 2.0 EH4
Heap / Pool
Heap 1.0
Executable
Code
DEP
SEHOP
Heap 2.0
/GS 3.0
HeapTerm
/NXCOMPAT
Heap Rand /
Hardening
Safe
Unlinking
ASLR
DEP+ATL
SEHOP +
HEASLR +
ForceASLR
IE10
SEHOP
IE9
DEP IE8
DEP O14
2003
2004
2005
2006
2007
2008
2009
2010 2011 2012
13
2013
SOFTWARE SECURITY HAS EVOLVED
•
Mitigations in software have evolved
significantly since the release of Windows
XP
•
Internet Explorer 10 on Windows 8
benefits from an extensive number of
platform security improvements (not
available to Internet Explorer 8 on
Windows XP)
ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)



http://www.microsoft.com/emet


EVOLUTION OF EMET MITIGATIONS & FEATURES
Mitigations in v1.0
Mitigations in v2.0
Features added in v3.0
Mitigations in v3.5
EVOLUTION OF EMET MITIATIONS (CONTINUED)
Mitigations & Features in v4.0
Mitigations & Features in v4.1
Mitigations & Features in v5.0 (Vista+)
MS13-008 – INTERNET EXPLORER CVE-2012-4792
(CBUTTON USE AFTER FREE)
• 0-day vulnerability being used in limited targeted attacks prior to
bulletin release discovered by FireEye circa 12/27/2012
• Vulnerability about as bad as it gets!
• Remote Code Exec vulnerability in all versions of IE (at the time)
and exploitable via a web page
• Fixed by MS13-008 on 1/14/2013
http://technet.microsoft.com/en-us/security/bulletin/ms13-008
• Standard mitigations in the bulletin were
• Don’t open Office documents
• Set Internet zone to High (yeah right)
• Disable Active Scripting and ActiveX controls (yeah right)
DEMONSTRATION - EMET VS. MS13-008
CVE-2012-4792 (CBUTTON UAF)
A ‘watering hole’ attack from www.issa-balt.org
DEMONSTRATION
RECENT EMET RELATED DEVELOPMENTS
• ATTACKERS VS. EMET IN THE NEWS
• February 11th
• SECURITY COMPANY VS. EMET IN THE NEWS
• February 24th
• MICROSOFT VS. EMET IN THE NEWS
• February 25th
THIS EXPLOIT ATTEMPT WILL SELF-DESTRUCT . . .
THIS AIN’T A SCENE IT’S A @#$% ARMS RACE
• On February 24th Bromium Labs claimed to be able to bypass all EMET 4.1
mitigations leading to a big press cycle during the RSA conference
• They discussed ways of bypassing the various ROP mitigations individually,
and a way of bypassing the StackPivot mitigation.
• They created an exploit payload that made use of many of their discoveries
but that eventually needed to call NtProtectVirtualMemory (an API that is
only protected when ‘Deep Hooks’ is enabled)
• They noted Deep Hooks was not enabled by default so this was convenient for them.
• So EMET 5.0 will enable Deep Hooks by default! 
• This required working with some vendors (McAfee HIPS) to wait for updated versions of their products to be
released.
• Bottom Line – EMET is not invincible but it does raise the bar for adversaries
and Microsoft is committed to investigating new bypasses and addressing
them in future versions of EMET if possible.
OH NOZ!!! THE END IS NEAR! (0-DAY MAY)
• On April 8, 2014, Windows XP will no longer be supported by
Microsoft. This means customers will no longer receive:
New security updates
Non-security hotfixes
Free or paid assisted support options
Online technical content updates
• New vulnerabilities discovered after support ends for Windows XP
will not be addressed without an expensive custom support
agreement
• If only there was something inexpensive that you could do to protect all
those un-patched Windows XP boxes from exploit attempts. 
CALL TO ACTION
•
Follow the Security Research and Defense blog to stay on stop of the latest trends in
security research and defense!
•
http://blogs.technet.com/b/srd/
•
Keep an eye on www.microsoft.com/emet for updates and announcements
•
Evaluate and Deploy EMET 4.1 (XP+) now or EMET 5.0 (Vista+) when it releases.
•
Protect critical applications such as Internet Explorer, Firefox, Office, Adobe Acrobat etc
•
Monitor for EMET related events in the event log using System Center or other Enterprise
monitoring software to spot 733t 0-day attempts (that don’t detect EMET and selfdestruct! )
•
Support: http://social.technet.microsoft.com/Forums/security/en-US/home?forum=emet