Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation
Trustworthy Computing Andrew Roths Senior Security Development Lead at MSRC Engineering – React Fermin J. Serna Security Software Engineer at MSRC Engineering – React
Trustworthy Computing EMET introduction Overview of previous version What’s new in the latest version 2.0 In depth look at the mitigations Real case demo How you can benefit
Trustworthy Computing Protect software against unknown vulnerabilities Break most exploits for existing, known vulnerabilities
Trustworthy Computing Free tool available for download which helps: Thwart targeted attacks Protect against unfixed vulnerabilities (including 0-days)
Trustworthy Computing Offers security mitigations for most software Old applications Third party software Line of business applications Brings newer security mitigations to older platforms Provides exclusive security mitigations to block current exploit techniques Security mitigation: technology that inhibits the ability to exploit software vulnerabilities
Trustworthy Computing
CVE (the “Aurora” vulnerability) Addressed by MS EMET can help prevent successful exploitation on systems lacking the update We recommend customers download the update using Microsoft Update
Trustworthy Computing “Testing Microsoft's new EMET hardening tool. So far it has prevented my SEH attacks 10 out of 10 times. Is this really from Microsoft??” JimmyRay_Purser “Testing Microsoft's new EMET hardening tool. So far it has prevented my SEH attacks 10 out of 10 times. Is this really from Microsoft??” JimmyRay_Purser
Trustworthy Computing
6 mitigations now available with version 2.0 Some of them are also available in certain versions of Windows Others are unique to EMET
Trustworthy Computing Stack Next Handler Next Handler 0xfffffff Handler Buffer Buffer Function Stack Frames 0x0c0c0c0c Final Handler EMET Off EMET On
Trustworthy Computing
Attacker Controlled Data Program Read Write Code Execution Read Write Code Execution Read Write Code Execution EMET Off EMET On
Trustworthy Computing Code Data Victim Process Attacker EMET Allocated EMET Off EMET On
Trustworthy Computing
foo.dll EMET Allocated app.exe user32.dll kernel32.dll ntdll.dll Boot 1 app.exe user32.dll kernel32.dll ntdll.dll Boot 2 app.exe user32.dll kernel32.dll ntdll.dll Boot 3 process address space foo.dll EMET Off EMET On
Trustworthy Computing
Attacks how shellcode finds APIs First some backgound… TEB, PEB and LDR structures Portable Executable (PE) File structure
Trustworthy Computing TEB: Thread Environment Block Accessible through fs register At offset 0x30 there is a pointer to the PEB
Trustworthy Computing PEB: Process Environment Block At offset 0x0C there is a pointer to the LDR sturctures
Trustworthy Computing LDR structures: Three linked list of loaded modules for current process
Trustworthy Computing
Export Address Table
Trustworthy Computing 0x0C LDR pointer Using Metasploit as an example fs:0 TEB pointer Shellcode 0x30 PEB pointer TEB PEB Module 1 Look through EAT for target functions Module 2 Look through EAT for target functions Module 3 Look through EAT for target functions Module List
Trustworthy Computing So how do we block this shellcode? We place a data breakpoint on the pointer to the AddressOfFunctions array in the EAT When it is hit we check if the instruction pointer (EIP) is running from inside a module If it is not, we crash the process
Trustworthy Computing
Free tool Protects against the exploitation of vulnerabilities in software Known vulnerabilities Unknown vulnerabilities Can be applied to almost any arbitrary process Doesn’t matter who wrote it Doesn’t matter when it was written
Trustworthy Computing Visit our Blog! Latest news on EMET and download links Feedback welcome Special thanks to Matt Miller for his contributions to EMET
Trustworthy Computing Be on the front lines of Microsoft’s battle with 0-day security vulnerabilities, hackers, and active cyber-attacks. Get your hands dirty exploring software and finding vulnerabilities. (Search for Trustworthy Computing)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.