10

I recall seeing, upon release of Windows 8 a while ago that a number of new mitigations and memory protections had been put in place but i'm unsure if these are the same protections offered by EMET. Based on the bypasses discussed it appears that KASLR and SMEP are something specific to Windows 8 (but not present in EMET).

Does EMET add any additional memory protections on windows 8 and higher?

Additionally, while EMET does certificate pinning nicely enough are there any other tools that offer Certificate pinning for Internet Explorer, Chrome AND Firefox? This paper recommends using a tool called Convergence but that appears to be firefox only and I'd like to be able to support as much of the enterprise environment as possible.

Finally Given that both EMET 4.1 and EMET 5.0 have been successfully bypassed is there any point to using them? Is there a preference (in terms of the security provided) to use one or the other (especially since EMET 5.0 seems to contain a lot of issues with crashing applications)?

NULLZ
  • 11,426
  • 17
  • 77
  • 111

1 Answers1

15

KASLR and SMEP are kernel-mode protections, applying ASLR to kernel space and enforcing privilege ring boundaries on execution respectively. EMET is solely a user-space protection tool, and as such is not involved with KASLR or SMEP.

You should also be aware that EMET is not a magic bullet. It is designed with two goals: to raise the cost of exploit development, and to reduce or eliminate the efficacy of existing pre-written shellcode.

So, to answer your question regarding EMET and Windows 8.1, the answer is yes, there are plenty of protections that EMET offers:

SEHOP

SEHOP is a mechanism designed to prevent stack buffer overflow exploitation via SEH handler overwrites. EMET hooks the OS functionality which provides exception handling and inserts a check to ensure that the handler has not become corrupted, primarily by verifying that the handler address is one which came predefined in the application.

Dynamic DEP

Data Execution Prevention allows for hardware enforcement of execution access flags on memory pages. The normal configuration for an OS is to have DEP enabled for services, and then have applications opt-in based on a compiler flag (which is stored in the PE header, under the Characteristics field). EMET allows you to specify a policy that forces DEP on for a process, even if it wasn't compiled with this flag. It also has an additional benefit: it specifies the DEP policy for the process such that calls to SetProcessDEPPolicy from within the application cannot override this flag, so ROP chaining to that API won't disable DEP and allow for trivial stack execution.

Heapspray Protection

This protection is just designed to protect against stock shellcode pulled from frameworks like Metasploit. It pre-allocates common page addresses used in heap spray attacks and sets the memory to be inaccessible. This is useful because a lot of existing drive-by attacks use these addresses, and you can essentially prevent all of those attacks from working by allocating the pages they're looking for. Of course, someone who knows what they're doing can just re-write the shellcode, but it raises the bar to make it more difficult for script kiddies who only know how to use Metasploit or PoC scripts.

Null page allocation

Same as heapspray protection, except that it allocates a block of read-only memory at the null page address. The goal is to prevent null page dereferences from doing anything funky, though they freely admit that this is just a defense-in-depth measure as null page derefs aren't really exploitable bugs.

Mandatory ASLR

Like DEP, ASLR has to be compiled in with a flag, which again is set inside the PE header. The problem with ASLR is that even if your main program executable is marked as ASLR, it only has to load a single non-ASLR DLL into its memory space to result in a potential ASLR bypass - once there are known blocks of code in predictable locations, an attacker can build a ROP chain. Mandatory ASLR forces all loaded modules to be marked as ASLR-enabled, even if they're not compiled as such.

However, in Windows 8 (and 8.1) this feature does nothing if the native enforced ASLR implementation is enabled, because it does the same thing at the OS level.

Export Address Filtering

EAF monitors read operations on the Export Address Table (EAT) to ensure that reads are only coming from areas of application code, rather than shellcode. This is intended to make it difficult for shellcode to scan a module's EAT to find an API, where the module address is leaked in some way to facilitate such a trick. This is another mechanism where they use heuristics to guess whether the caller is shellcode or not, and isn't foolproof. It's just designed to catch out the low-hanging fruit.

EAF+

This is an extension of EAF, but it can be used in conjunction with or independent of EAF. It checks whether the stack pointer is within an allowed range, and whether the stack and frame pointers are mismatched. EMET 5.0 introduces a "valid modules" list for processes, and when it is populated EAF+ also detects if a read is to the EAT pointer for those modules, and monitors reads of the MZ and PE headers for the executable in memory to prevent EAT / IAT scanning.

Bottom-up Randomisation

Also known as bottom-up ASLR, this randomises the location of bottom-up allocations such as the stack and heaps. It's an additional countermeasure to ROP that just increases the amount of entropy in the layout.

Anti-ROP

This is a whole suite of protections that help prevent ROP from being successful. It monitors LoadLibrary calls to prevent loading DLLs from UNC paths, prevents memory protection APIs from making the stack executable, checks that APIs are properly called (i.e. with a CALL, not a RET), tries to follow back the call chain to check for ROP-like behaviour, and attempts to detect stack pivoting (incl. checking ESP / EBP against values stored in context snapshots used in certain APIs). All of these together create a headache for anyone trying to build a working ROP chain.

Attack Surface Reduction

ASR allows you to whitelist which DLLs an application is allowed to load. This is useful for a large number of reasons, including blocking malware from doing DLL injection, preventing unsafe plugins from loading (e.g. Flash), and stopping exploits from utilising LoadLibrary for nefarious purposes.

Advanced Anti-ROP

This feature adds more anti-ROP features. It hooks deeper functions, e.g. ntdll's memory allocation functions, so that it becomes more difficult to bypass the anti-ROP checks. It also tries to catch out shellcode that contains a copy of a function prolog, executes it, and then jumps past the real prolog to get to the real function, as a form of hook bypass. Finally, it bans the ntdll!LdrHotPatchRoutine function to prevent abuse of the hotpatch functionality.

Certificate Pinning

This isn't a mitigation in the same sense of the others, but it enforces certificates in IE so that they can't be easily replaced.


The point I'm trying to make, here, is that EMET has a whole host of protections which, when enabled in tandem, make the exploitation process significantly more difficult. EMET is not trying to prevent APTs and nation states from breaking stuff. They're trying to make it more expensive (in terms of time / money / skills) to build working exploits, so that it's less profitable for bad people to try. They're also rendering most shellcode which isn't specifically designed to avoid EMET inoperable, which is a large percentage of the market. It's absolutely worth enabling it.

With your concerns about stability with certain applications, you just have to work out compatibility with different protections. EMET 5.0 has reporting features which log detections, so you can go through and attempt to identify problems. Start with all the major protections enabled and turn others on or off as you go, until you reach a balance.


As for certificate pinning, it's largely browser specific. There are, of course, plugins for Firefox and Chrome that do this, though I've been underwhelmed by some. Certificate Patrol is popular, but I find it way too noisy to be useful - you just learn to click OK blindly. Chrome does have the --hsts-hosts command line option, which looks great, though you'll need to do some manual work to get it set up right. Firefox now pins several sites by default, as does Chrome, which means you're already protected to some extent. Unfortunately, it appears that there's no simple way to manage your own pinning across all browsers in your environment, and you'll have to do the manual work.


Sources:

Polynomial
  • 132,208
  • 43
  • 298
  • 379