using emet to defend against targeted attacks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Using EMET to defend against targeted attacks PowerPoint Presentation
Download Presentation
Using EMET to defend against targeted attacks

Loading in 2 Seconds...

play fullscreen
1 / 26

Using EMET to defend against targeted attacks - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

Using EMET to defend against targeted attacks. Presented by Robert Hensing – Senior consultant – Microsoft Corporation. WHOAMI. Robert Hensing 15 year Microsoft veteran

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Using EMET to defend against targeted attacks' - osanna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
using emet to defend against targeted attacks

Using EMET to defend against targeted attacks

Presented by

Robert Hensing – Senior consultant – Microsoft Corporation

whoami
WHOAMI
  • Robert Hensing
    • 15 year Microsoft veteran
    • Developed original versions of W.O.L.F. and AutoDump+ (tools used by Customer Support for Incident Response and Debugging respectively)
    • Trustworthy Computing Division alumni
      • 5 year tour in MSRC Engineering – Defense team
      • Co-Developed GUT (swiss army knife hex editor / fuzzer / vulnerability detection framework)
      • Co-Developed a technique that uses the Windows shim engine to mitigate vulnerable code via ‘Shimpatches’ (as featured in recent IE Security Advisories)
    • Currently a boring C# Developer Consultant in National Security Group practice
      • I used to be somebody. 
trustworthy computing security centers
Trustworthy Computing - Security Centers

Protecting Microsoft customers throughout the entire life cycle

(in development, deployment and operations)

Conception

Conception

Microsoft Security Response Center

(MSRC)

Microsoft Security Engineering Center (MSEC)

Ecosystem Strategy

Product Life Cycle

Product Life Cycle

MSRC Ops

SDL

MSRC Engineering

Security Assurance

Security Science

Release

Release

Microsoft Malware Protection Center (MMPC)

slide4

The software vulnerability asymmetry problem

Defender must fix all vulnerabilities in all software – attacker wins by finding and exploiting just one vulnerability

Threats change over time – state-of-the-art in vulnerability finding and attack techniques changes over time

Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle

Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.

slide5

Exploit Economics

Gains per use

X

Opportunities to use

Cost to acquire vulnerability

+

Cost to weaponize

Attacker Return

=

-

slide6

Exploit Economics

We can decrease Attacker Return if we are able to…

Increase attacker investment required to find usable vulnerabilities

  • Remove entire classes of vulnerabilities where possible
  • Focus on automation to scale human efforts

Increase attacker investment required to write reliable exploits

  • Build mitigations that add brittleness
  • Make exploits impossible to write completely reliably

Decrease attacker’s opportunity to recover their investment

  • Shrink window of vulnerability
  • Fewer opportunities via artificial diversity
  • Enable rapid detection & suppression of exploit usage

Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable

slide7

Exploit Economics Strategy – Step 1

Increase attacker investment required to find vulnerabilities

slide8

Embedding security into software and culture

  • Tactics for Vulnerability Reduction
  • Remove entire classes of vulnerabilities
  • Security Tooling
  • Additional product features
  • Remove all currently findable vulnerabilities
  • Complete automation of tooling
    • SDL tools, Threat Modeling tool
    • Fuzzing toolsets + ways to streamline & improve triage
    • Tool overlays to increase signal-to-noise and focus attention on the right code
  • Verification & enforcement
    • Audit individual tool usage via process tools
    • Process tools required for SDL signoff - policy enforcement

Ongoing Process Improvements

slide9

Exploit Economics Strategy – Step 2

PREVENT RELIABLE EXPLOITATION OF vulnerabilities

slide10

Embedding security into software and culture

  • Tactics to Frustrate Exploits
  • Reduce the surface we have to defend
  • Attack surface reduction
  • Design additional product mitigations
  • Make remaining vulnerabilities difficult or impossible to exploit
  • Build mitigations that add exploit brittleness

Ongoing Process Improvements

digital countermeasures
Digital Countermeasures
  • Improve system survivability against exploitation of unknown vulnerabilities
  • Three goals:
    • Increase attacker requirements – e.g. must be authenticated, local subnet only
    • Deterrent – no economically reliable exploit exists
    • Mitigation – Break 100% reliable universal exploits
  • Often must be combined together
  • Even when successful, the result is still impactful to the user
mitigation approaches
Mitigation Approaches

Utilize Knowledge Deficits

  • Utilize secrets such that guessing impairs exploit reliability
  • /GS: Protect stack buffers by checking random cookies placed between them and control structures
  • Function Pointer Encoding

Artificial Diversity

ASLR: Address Space Layout Randomization

Enforce Invariants

  • Data Execute Protection (DEP)
  • Heap & pool metadata checks
  • SafeSEH / SEH Overwrite Protection (SEHOP)
memory safety mitigations roadmap
Memory Safety Mitigations Roadmap

Stack

/GS 1.0

/GS 1.1

/GS 2.0

EH4

SEHOP

/GS 3.0

Heap Rand / Hardening

Heap / Pool

Heap 1.0

Heap 2.0

HeapTerm

Safe Unlinking

SEHOP + HEASLR +

ForceASLR IE10

Executable Code

SEHOP

IE9

DEP

/NXCOMPAT

ASLR

DEP+ATL

DEP IE8

DEP O14

2008

2009

2010

2003

2005

2006

2007

2004

2012

2013

2011

software security has evolved
Software security has evolved

Windows XP SP3 Internet Explorer 8

Windows 8Internet Explorer 10

  • Mitigations in software have evolved significantly since the release of Windows XP
  • Internet Explorer 10 on Windows 8 benefits from an extensive number of platform security improvements (not available to Internet Explorer 8 on Windows XP)

No

Yes

SEHOP

No

Yes

Protected Mode

Enhanced Protected Mode (EPM)

No

Yes

No

Yes

Virtual Table Guard

Limited

Extensive

ASLR

No

Yes

Stack randomization

Heap randomization

Yes

No

Yes

No

Image randomization

Yes

No

Force image randomization

Yes

No

Bottom-up randomization

Top-down randomization

No

Yes

Yes

No

High entropy randomization

Yes

No

PEB/TEB randomization

Extensive

Limited

Heap hardening

Yes

No

Header encoding

Yes

No

Terminate on corruption

Yes

No

Guard Pages

Yes

No

Allocation randomization

Yes

Yes

Safe unlinking

Yes

Yes

Header checksums

Yes

Yes

/GS

Yes

No

Enhanced/GS

Yes

Yes

SafeSEH

enhanced mitigation experience toolkit emet
Enhanced Mitigation Experience Toolkit (EMET)
  • Offers security mitigations for most software
    • Old applications
    • Third party software
    • Line of business applications
  • Brings newer security mitigations to older platforms
  • Provides exclusive state of the art security mitigations to block current exploit techniques
  • Download the latest bits:http://www.microsoft.com/emet
    • EMET 4.1 supported on Windows XP
    • EMET 5.0 and later require Vista or higher
evolution of emet mitigations features
Evolution of Emet mitigations & FEATURES
  • Mitigations in v2.0
  • Mandatory ASLR
  • EAT Access Filtering
  • Heap Spray Allocation

Mitigations in v1.0

  • Dynamic DEP
  • SEHOP
  • NULL Page protection
  • Features added in v3.0
  • 3 Protection Profiles
  • ADMX Files for Group Policy Management
  • EMET Notifier(alerts user when mitigations were enforced)
  • Mitigations in v3.5
  • Anti-ROP mitigations:
    • Caller Checks
    • Exec Flow Simulation
  • Stack Pivot Mitigation
  • Load Library Checks
  • Memory Protection Checks
evolution of emet mitiations continued
EVOLUTION OF EMET MITIATIONS (CONTINUED)
  • Mitigations & Features in v4.1
  • Updates to default protection profiles
  • Improved Event Logging
  • App-Compat updates / fixes
  • Fix to allow shared remote desktops
  • Mitigations & Features in v4.0
  • Certificate Pinning
  • Early Warning Program (telemetry via Microsoft Error Reporting)
    • Could be used to find 733t 0-day!
  • Blocks known bypasses (deep hooks)
  • Updated rules to fix app-compat issues
  • Audit Mode (i.e. No Kill Mode)
  • Configuration Wizard
  • Mitigations & Features in v5.0 (Vista+)
  • Attack Surface Reduction
    • Preventing unwanted 3rd party modules from loading in applications
  • EAF+
    • Adds KernelBase to protected functions
    • Adds additional checks to existing protected exports
ms13 008 internet explorer cve 2012 4792 cbutton use after free
MS13-008 – Internet explorer CVE-2012-4792 (Cbutton Use After free)
  • 0-day vulnerability being used in limited targeted attacks prior to bulletin release discovered by FireEye circa 12/27/2012
  • Vulnerability about as bad as it gets!
    • Remote Code Exec vulnerability in all versions of IE (at the time) and exploitable via a web page
  • Fixed by MS13-008 on 1/14/2013http://technet.microsoft.com/en-us/security/bulletin/ms13-008
    • Standard mitigations in the bulletin were
      • Don’t open Office documents
      • Set Internet zone to High (yeah right)
      • Disable Active Scripting and ActiveX controls (yeah right)
demonstration emet vs ms13 008 cve 2012 4792 cbutton uaf
Demonstration - EMET vs. MS13-008CVE-2012-4792 (cButton UAF)

A ‘watering hole’ attack from www.issa-balt.org

recent emet related developments
RECENT EMET RELATED DEVELOPMENTS
  • ATTACKERS VS. EMET IN THE NEWS
    • February 11th
  • SECURITY COMPANY VS. EMET IN THE NEWS
    • February 24th
  • MICROSOFT VS. EMET IN THE NEWS
    • February 25th
this ain t a scene it s a @ arms race
THIS AIN’T A SCENE IT’S A @#$% ARMS RACE
  • On February 24thBromium Labs claimed to be able to bypass all EMET 4.1 mitigations leading to a big press cycle during the RSA conference
  • They discussed ways of bypassing the various ROP mitigations individually, and a way of bypassing the StackPivot mitigation.
  • They created an exploit payload that made use of many of their discoveries but that eventually needed to call NtProtectVirtualMemory (an API that is only protected when ‘Deep Hooks’ is enabled)
    • They noted Deep Hooks was not enabled by default so this was convenient for them.
  • So EMET 5.0 will enable Deep Hooks by default! 
    • This required working with some vendors (McAfee HIPS) to wait for updated versions of their products to be released.
  • Bottom Line – EMET is not invincible but it does raise the bar for adversaries and Microsoft is committed to investigating new bypasses and addressing them in future versions of EMET if possible.
oh noz the end is near 0 day may
OH NOZ!!! THE END IS NEAR! (0-DAY May)
  • On April 8, 2014, Windows XP will no longer be supported by Microsoft. This means customers will no longer receive:

New security updates

Non-security hotfixes

Free or paid assisted support options

Online technical content updates

  • New vulnerabilities discovered after support ends for Windows XP will not be addressed without an expensive custom support agreement
  • If only there was something inexpensive that you could do to protect all those un-patched Windows XP boxes from exploit attempts. 
call to action
Call to action
  • Follow the Security Research and Defense blog to stay on stop of the latest trends in security research and defense!
    • http://blogs.technet.com/b/srd/
  • Keep an eye on www.microsoft.com/emet for updates and announcements
  • Evaluate and Deploy EMET 4.1 (XP+) now or EMET 5.0 (Vista+) when it releases.
  • Protect critical applications such as Internet Explorer, Firefox, Office, Adobe Acrobat etc
  • Monitor for EMET related events in the event log using System Center or other Enterprise monitoring software to spot 733t 0-day attempts (that don’t detect EMET and self-destruct! )
  • Support: http://social.technet.microsoft.com/Forums/security/en-US/home?forum=emet