Post on 25-Feb-2016
description
USING EMET TO DEFEND AGAINST TARGETED ATTACKS
PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION
WHOAMI• Robert Hensing• 15 year Microsoft veteran• Developed original versions of W.O.L.F. and AutoDump+ (tools used by
Customer Support for Incident Response and Debugging respectively)• Trustworthy Computing Division alumni
• 5 year tour in MSRC Engineering – Defense team• Co-Developed GUT (swiss army knife hex editor / fuzzer / vulnerability detection
framework)• Co-Developed a technique that uses the Windows shim engine to mitigate vulnerable
code via ‘Shimpatches’ (as featured in recent IE Security Advisories)• Currently a boring C# Developer Consultant in National Security Group practice
• I used to be somebody.
TRUSTWORTHY COMPUTING - SECURITY CENTERS
Protecting Microsoft customers throughout the entire life cycle(in development, deployment and operations)
Microsoft Security
Engineering Center (MSEC)
Security Assurance
Security Science
SDL
Microsoft Malware Protection Center
(MMPC)ReleaseRelease
Product Life CycleProduct Life Cycle
Microsoft Security
Response Center(MSRC)Ecosystem
StrategyMSRC Ops
MSRC Engineering
ConceptionConception
Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.
THE SOFTWARE VULNERABILITY ASYMMETRY PROBLEM
Defender must fix all vulnerabilities in all software – attacker wins by finding and exploiting just one vulnerability
Threats change over time – state-of-the-art in vulnerability finding and attack techniques changes over time
Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle
EXPLOIT ECONOMICS
5
Gains per use
XOpportunities to use
Cost to acquire vulnerability
+Cost to weaponize
Attacker Return -=
Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable
EXPLOIT ECONOMICS
We can decrease Attacker Return if we are able to…Increase attacker investment required to find usable vulnerabilities• Remove entire classes of vulnerabilities where possible• Focus on automation to scale human efforts
Increase attacker investment required to write reliable exploits• Build mitigations that add brittleness• Make exploits impossible to write completely reliably
Decrease attacker’s opportunity to recover their investment• Shrink window of vulnerability• Fewer opportunities via artificial diversity• Enable rapid detection & suppression of exploit usage
INCREASE ATTACKER INVESTMENT REQUIRED TO FIND VULNERABILITIES
Exploit Economics Strategy – Step 1
7
EMBEDDING SECURITY INTO SOFTWARE AND CULTURE
Tactics for Vulnerability ReductionRemove entire classes of vulnerabilities • Security Tooling• Additional product features
Remove all currently findable vulnerabilities• Complete automation of tooling
• SDL tools, Threat Modeling tool• Fuzzing toolsets + ways to streamline & improve triage• Tool overlays to increase signal-to-noise and focus attention on the right code
• Verification & enforcement• Audit individual tool usage via process tools• Process tools required for SDL signoff - policy enforcement
Ongoing Process Improvements
PREVENT RELIABLE EXPLOITATION OF VULNERABILITIES
Exploit Economics Strategy – Step 2
EMBEDDING SECURITY INTO SOFTWARE AND CULTURE
Tactics to Frustrate ExploitsReduce the surface we have to defend• Attack surface reduction• Design additional product mitigations
Make remaining vulnerabilities difficult or impossible to exploit• Build mitigations that add exploit brittleness
Ongoing Process Improvements
DIGITAL COUNTERMEASURES
• Improve system survivability against exploitation of unknown vulnerabilities•Three goals:• Increase attacker requirements – e.g. must be
authenticated, local subnet only• Deterrent – no economically reliable exploit
exists•Mitigation – Break 100% reliable universal
exploits•Often must be combined together•Even when successful, the result is still impactful to the user 11
MITIGATION APPROACHES
• Utilize secrets such that guessing impairs exploit reliability• /GS: Protect stack buffers by checking random cookies
placed between them and control structures• Function Pointer Encoding
12
Utilize Knowledge Deficits
Artificial Diversity
Enforce Invariants
ASLR: Address Space Layout Randomization
Data Execute Protection (DEP)Heap & pool metadata checks SafeSEH / SEH Overwrite Protection (SEHOP)
MEMORY SAFETY MITIGATIONS ROADMAP
13
Stack
Heap / Pool
Executable Code
/GS 1.0 /GS 1.1
Heap 1.0
DEP ASLR DEP IE8
20072006200520042003
/GS 2.0
2008
/NXCOMPAT
Heap 2.0
HeapTerm
EH4 SEHOP /GS 3.0
DEP+ATL
Safe Unlinking
2009
DEP O14
2010 2011
SEHOPIE9
2013
SEHOP + HEASLR +ForceASLR IE10
Heap Rand / Hardening
2012
• Mitigations in software have evolved significantly since the release of Windows XP• Internet Explorer 10 on Windows
8 benefits from an extensive number of platform security improvements (not available to Internet Explorer 8 on Windows XP)
SOFTWARE SECURITY HAS EVOLVEDSEHOPProtected Mode Enhanced Protected Mode (EPM)Virtual Table GuardASLR Stack randomization Heap randomization Image randomization Force image randomization Bottom-up randomization Top-down randomization High entropy randomization PEB/TEB randomizationHeap hardening Header encoding Terminate on corruption Guard Pages Allocation randomization Safe unlinking Header checksums/GS Enhanced/GSSafeSEH
NoNoNoNoLimitedNoNoNoNoNoNoNoNoLimitedNoNoNoNoYesYesYesNoYes
YesYesYesYesExtensiveYesYesYesYesYesYesYesYesExtensiveYesYesYesYesYesYesYesYesYes
Windows XP SP3 Internet Explorer 8
Windows 8Internet Explorer 10
ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET) Offers security mitigations for most software
Old applications Third party software Line of business applications
Brings newer security mitigations to older platforms
Provides exclusive state of the art security mitigations to block current exploit techniques
Download the latest bits:http://www.microsoft.com/emet EMET 4.1 supported on Windows XP EMET 5.0 and later require Vista or higher
EVOLUTION OF EMET MITIGATIONS & FEATURESMitigations in v1.0• Dynamic DEP• SEHOP• NULL Page protection
Mitigations in v2.0• Mandatory ASLR• EAT Access Filtering• Heap Spray Allocation
Features added in v3.0• 3 Protection Profiles• ADMX Files for Group
Policy Management• EMET Notifier (alerts
user when mitigations were enforced)
Mitigations in v3.5• Anti-ROP mitigations:
• Caller Checks• Exec Flow Simulation
• Stack Pivot Mitigation• Load Library Checks• Memory Protection Checks
EVOLUTION OF EMET MITIATIONS (CONTINUED)Mitigations & Features in v4.0• Certificate Pinning• Early Warning Program
(telemetry via Microsoft Error Reporting)• Could be used to find
733t 0-day!• Blocks known bypasses
(deep hooks)• Updated rules to fix app-
compat issues• Audit Mode (i.e. No Kill
Mode)• Configuration Wizard
Mitigations & Features in v4.1• Updates to default
protection profiles• Improved Event Logging• App-Compat updates / fixes• Fix to allow shared remote
desktopsMitigations & Features in v5.0 (Vista+)• Attack Surface Reduction
• Preventing unwanted 3rd party modules from loading in applications
• EAF+• Adds KernelBase to
protected functions• Adds additional checks to
existing protected exports
MS13-008 – INTERNET EXPLORER CVE-2012-4792 (CBUTTON USE AFTER FREE)• 0-day vulnerability being used in limited targeted
attacks prior to bulletin release discovered by FireEye circa 12/27/2012
• Vulnerability about as bad as it gets!• Remote Code Exec vulnerability in all versions of IE
(at the time) and exploitable via a web page• Fixed by MS13-008 on 1/14/2013
http://technet.microsoft.com/en-us/security/bulletin/ms13-008 • Standard mitigations in the bulletin were• Don’t open Office documents• Set Internet zone to High (yeah right)• Disable Active Scripting and ActiveX controls
(yeah right)
DEMONSTRATION - EMET VS. MS13-008CVE-2012-4792 (CBUTTON UAF)
A ‘watering hole’ attack from www.issa-balt.org
DEMONSTRATION
RECENT EMET RELATED DEVELOPMENTS• ATTACKERS VS. EMET IN THE NEWS• February 11th
• SECURITY COMPANY VS. EMET IN THE NEWS• February 24th
• MICROSOFT VS. EMET IN THE NEWS• February 25th
THIS EXPLOIT ATTEMPT WILL SELF-DESTRUCT . . .
THIS AIN’T A SCENE IT’S A @#$% ARMS RACE• On February 24th Bromium Labs claimed to be able to
bypass all EMET 4.1 mitigations leading to a big press cycle during the RSA conference
• They discussed ways of bypassing the various ROP mitigations individually, and a way of bypassing the StackPivot mitigation.
• They created an exploit payload that made use of many of their discoveries but that eventually needed to call NtProtectVirtualMemory (an API that is only protected when ‘Deep Hooks’ is enabled)• They noted Deep Hooks was not enabled by default so this was
convenient for them.• So EMET 5.0 will enable Deep Hooks by default!
• This required working with some vendors (McAfee HIPS) to wait for updated versions of their products to be released.
• Bottom Line – EMET is not invincible but it does raise the bar for adversaries and Microsoft is committed to investigating new bypasses and addressing them in future versions of EMET if possible.
OH NOZ!!! THE END IS NEAR! (0-DAY MAY)• On April 8, 2014, Windows XP will no longer be
supported by Microsoft. This means customers will no longer receive:
New security updatesNon-security hotfixesFree or paid assisted support options Online technical content updates
• New vulnerabilities discovered after support ends for Windows XP will not be addressed without an expensive custom support agreement
• If only there was something inexpensive that you could do to protect all those un-patched Windows XP boxes from exploit attempts.
CALL TO ACTION• Follow the Security Research and Defense blog to stay on stop of the latest
trends in security research and defense!• http://blogs.technet.com/b/srd/
• Keep an eye on www.microsoft.com/emet for updates and announcements• Evaluate and Deploy EMET 4.1 (XP+) now or EMET 5.0 (Vista+) when it releases.• Protect critical applications such as Internet Explorer, Firefox, Office, Adobe
Acrobat etc• Monitor for EMET related events in the event log using System Center or other
Enterprise monitoring software to spot 733t 0-day attempts (that don’t detect EMET and self-destruct! )• Support: http://
social.technet.microsoft.com/Forums/security/en-US/home?forum=emet