14 DAY TRIAL // As Microsoft bulletproofed Windows more and more, making it harder for attackers to identify and exploit vulnerabilities in the operating system, the company also catalyzed a change in the threat environment and a refocusing on third-party code as primary avenues of attack. At the same time, the Redmond company is providing a range of resources, including the Security Development Lifecycle, to developers of applications designed to run on top of Windows, in order to help them increase the security of their products. The Enhanced Mitigation Evaluation Toolkit is the latest resource provided by the software giant, set up to permit devs to apply security mitigation technologies to arbitrary apps.
Fermin J. Serna and Andrew Roths, from MSRC Engineering, explain that applications can be opted in via a command-line utility without requiring any sort of recompilation. In addition, the Redmond company has put in the effort to make EMET granular. Serna notes that applications can have mitigations added on a per process basis, rather than globally. According to the Redmond company, all mitigations included in EMET are no longer limited to up-level versions of Windows. This means that customers will be able to enjoy all the benefits of the added security without having to upgrade their systems.
But perhaps EMET’s strongest point is the fact that the toolkit will continue to evolve. The perpetual evolution involves primarily growth in the number of mitigations that will be added to the package. For the time being EMT ships by default with four items, but the promise from Microsoft is that the toolkit will feature more and more mitigations in the future.
Serna enumerates all the “supported mitigations: SEHOP - This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Dynamic DEP - Data Execution Prevention (DEP) is a memory protection mitigation that marks portions of a process’ memory non-executable. This makes it more difficult to an attacker to exploit memory corruption vulnerabilities. NULL page allocation - This blocks attackers from being able to take advantage of NULL dereferences in user mode. It functions by allocating the first page of memory before the program starts. Right now the exploitation techniques for these types of vulnerabilities are only theoretical. However, this mitigation will protect you even if that changes. Please note this protection does not impact kernel mode NULL dereferences as the current version of EMET only supports user mode mitigations.
Heap spray allocation - Heap spraying is an attack technique that involves filling a process’ heap with specially crafted content (typically including shellcode) to aid in exploitation. Right now, many attackers rely on their content being placed at a common set of memory addresses. This mitigation is designed to pre-allocate those memory addresses and thus block these common attacks. Please note that it only aims to break current exploits that take advantage of these common addresses. It is not a general mitigation for the larger heap spraying attack. That said, if attackers do change the addresses they use, EMET users can change the addresses.”
The Enhanced Mitigation Evaluation Toolkit is available for download here.