www.ernw.de

Enhanced Mitigation Experience Toolkit “EMET” v. 4.0 A quick walk through the capabilities, configuration and practice of EMET v. 4.0

By Friedwart Kuhn – fkuhn@ernw.de

7/1/2013 #1

www.ernw.de

Motivation ¬ Computer systems are consistently

vulnerable

¬ Even a fully patched Windows with standard software like Internet Explorer, Adobe Reader, and Adobe Flash (not speaking of Java ;-) has been constantly vulnerable (see [1] and [2]).

¬ How do you cope with this ;-)?

7/1/2013 #2

www.ernw.de

Agenda ¬ What is EMET?

¬ Requirements

¬ Mitigation Capabilities & Configuration

¬ Enterprise Use

¬ Caveats

¬ Experience and Tips From the Field

¬ Demo

7/1/2013 #3

www.ernw.de

What is EMET? ¬ A free software from Microsoft that runs

on top of Windows operating systems.

¬ A software security layer that helps to prevent memory corruption vulnerabilities in operating system and application software from beeing successfully exploited.

¬ This software (EMET) integrates mitigations against common exploitation technologies.

7/1/2013 #4

www.ernw.de

What is EMET not? ¬ It is not a kind of Antivirus

Doesn´t work signature based.

Relies on /proves „correct“ runtime behaviour of the process /program it protects.

¬ It is not a „bullet proof“ against every kind of exploitation but it makes it more difficult to exploit

memory corruption vulnerabilities.

7/1/2013 #5

www.ernw.de

EMET Runs On… & Requires… ¬ Client Operating Systems

Windows XP service pack 3 and above Windows Vista service pack 1 and above Windows 7 all service packs Windows 8

¬ Server Operting Systems Windows Server 2003 service pack 1 and above Windows Server 2008 all service packs Windows Server 2008 R2 all service packs Windows Server 2012

¬ Software Requirements .Net Framework 4.0 Compatibility Update for Windows 8 / Server 2012: KB

2790907

7/1/2013 #6

www.ernw.de

EMET Mitigation Capabilities

¬ System Wide Mitigation Capabilities Depend on the operating system (capabilities)

see [3]

7/1/2013 #7

www.ernw.de

EMET Mitigation Capabilities

¬ System Wide Mitigation Capabilities Example on a Windows 7 System – Default Configuration of EMET

7/1/2013 #8

www.ernw.de

EMET Mitigation Capabilities

¬ Parameter Settings for System Wide Configuration

7/1/2013 #9

Parameter Settings Value Description

OptIn Default Configuration of operating system. Only system binaries which support the parameter are protected by the parameter.

OptOut Setting is implemented for all processes, whether they support it or not. User /administrator may define a list of excluded applications /processes.

Always on Like OptOut, but without the possibility to define exceptions.

Disabled The parameter is system wide disabled, i. e. no process /application will be protected by this setting.

www.ernw.de

EMET Application Mitigation Capabilities

7/1/2013 #10

Mitigation XP /Server 2003

Vista /Server 2008, Win7 /Server 2008 R2, Win8 /Server 20012

DEP

SEHOP

Mandatory ASLR

NULL Page

Heap Spray

EAF

Bottom-up

Load library checks

Memory protection checks

Simulate execution flow

Stack pivot

www.ernw.de

EMET Application Mitigation Capabilities

¬ 32 bit vs. 64 bit processes (see [3]):

7/1/2013 #11

www.ernw.de

Application Configuration

Default protection profile for installed applications:

New applications are simple to add and to configure.

7/1/2013 #12

www.ernw.de

Application Compatibility List

7/1/2013 #13

Maintained by Microsoft (see [3])

www.ernw.de

Certificate Trust ¬ Certificate trust protects against

MiTM via fraudulent certificates

A new feature of EMET v. 4.0

7/1/2013 #14

www.ernw.de

Fraudulent Certificates have been issued…

7/1/2013 #15

www.ernw.de

Certificate Trust via EMET

¬ Thus, EMET protects website (certificates) through „pinning rules“.

EMET defines („pins“) via „certificate trust“ a trust chain between a domain name of a website (and it´s associated certificate) and a root CA certificate.

If a user visits the website with Internet Explorer, Internet Explorer verifies the trust chain for the certificate of the website up to the root CA certificate according to the shell validation model.

If the root CA certificate differs from the via EMET configured root CA certificate a warning message is displayed.

7/1/2013 #16

www.ernw.de

Per default protected websites

7/1/2013 #17

www.ernw.de

Default pinning rules

Pinning rule for login.live.com

4 certificates are pinned (and thereby valid CA root certificates) for the certificate for login.live.com

7/1/2013 #18

www.ernw.de

Certificate trust in action

Pinned a false root CA certificate to login.live.com, EMET will show a warning and log it to the application event protocol.

So will do EMET in case of a fraudulent website protected by EMET with the certificate trust feature – even if the bar in the browser will indicate that the website is ok!

7/1/2013 #19

www.ernw.de

A false root CA certificate was pinned to login.live.com:

7/1/2013 #20

www.ernw.de

Enterprise Wide Use

¬ Enterprise Rollout and Configuration is feasible with low operational effort ;-)

¬ Enterprise Rollout .msi package available Enterprise rollout via SCCM (2007 or higher)

or 3.rd party software distribution

¬ Enterprise Wide Configuration via Group Policies

7/1/2013 #21

www.ernw.de

Enterprise Wide Configuration via GPO

7/1/2013 #22

www.ernw.de

Caveats ¬ DEP Is not supported on all systems, but option is allways

available for configuration (=> option has no effect). Configuring the system setting for DEP changes a boot

option for Windows. BitLocker will require the recovery key…

¬ ASLR Option AllwaysOn is per default not visible /configurable

in GUI, because some 3rd. party video driver will crash with ASLR enabled ( Bluescreen during boot).

¬ SEHOP On Windows 7 (and above) SEHOP is implemented by the

operating system. When the OS detects and mitigates SEHOP no message will be displayed (because it is done be the OS and not by EMET.

System Settings

7/1/2013 #23

www.ernw.de

Caveats ¬ Virtualized Applicatins Not Supported No support for ThinApp No support for App-V

¬ EMET´s Reporting Features Only Available for Desktop Applications

¬ SEHOP

Various applications on Windows Vista and above are not compatible with EMET’s SEHOP, in this case it is advisable to disable SEHOP from EMET and use the System Mitigation’s SEHOP. Configure the system mitigation SEHOP to Applications Opt-Out.

Application Settings

7/1/2013 #24

www.ernw.de

Caveats ¬ DEP Same as for system settings

¬ EAF Systems configured with the /debug boot option need to have a

debugger attached when running EAF enabled applications. If the /debug boot option is enabled and a debugger is not attached, the system will become unresponsive when an application with EAF enabled starts.

EAF mitigation should not be applied to: programs and libraries protected that use packers or compressors, DRM or software with anti-debugging code, debuggers, and security software such as antivirus, sandbox, firewalls, etc.

¬ Mandatory ASLR EMET’s mitigations only become active after the address space for the

core process and the static dependencies has been set up. Mandatory ASLR does not force address space randomization on any of these. The main focus of Mandatory ASLR is to protect dynamically linked modules, such as plug-ins.

Application Settings

7/1/2013 #25

www.ernw.de

Caveats ¬ Certificate Trust

Pinning rules are not configurable via GPO, instead: a .xml configuration file may be exported /imported

Is not available in the Modern Internet Explorer app on Windows 8. To enable this feature the “Certificate Trust (Pinning)” must be enabled and the iexplore.exe process must be added in the list of protected applications.

Intermediate root CAs are currently not supported.

Certificate Trust

7/1/2013 #26

www.ernw.de

Experience and Tips from the Field

¬ Experience Clear security benefit as for 0-day

exploits which use attack vectors that may be mitigated by EMET.

Clear security benefit with certificate trust as for fraudulent CAs.

Good overall compatibility.

Quick response from Microsoft, if compatibility problem occures.

7/1/2013 #27

www.ernw.de

Experience and Tips from the Field

¬ Tips Use /deploy EMET ;-) Use EMET at least with the recommended

default protection profile. Refer to the compatibility list provided by

Microsoft before implementing an application with EMET.

Use a test environment for applications still not tested with EMET.

EAF and SEHOP mitigations are good candidates concerning application compatibility issues => test the application in cause without one or both of these mitigations.

7/1/2013 #28

www.ernw.de

DEMO Attacking a fully patched Windows 7 Machine Through a Vulnerability in Firefox

www.ernw.de

Cited sources

¬ [1] http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-

9220-1C79CBD14B4F/Microsoft_Security_Intelligence_Report_Volume_14_English.pdf

¬ [2] http://www.rationallyparanoid.com/articles/consistently-vulnerable-

systems.html

¬ [3] Emet Software + User Guide http://www.microsoft.com/en-us/download/details.aspx?id=39273

7/1/2013 #30

www.ernw.de

For more Information…

¬ … and practical Tips on Information Security see:

our Blog: www.insinuator.net

our Conference: www.troopers.de

our Website: www.ernw.de

7/1/2013 #31