USING EMET TO DEFEND AGAINST TARGETED ATTACKSPRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATIONMICHAEL MATTES – SENIOR CONSULTANT – MICROSOFT CORPORATION

WHO WE ARE

• Robert Hensing• 15 year Microsoft employee• TWC alum

• 5 year tour in MSRC Engineering – Defense team• Currently Developer Consultant in National Security Group practice

• Michael Mattes• XX year Microsoft employee• Infrastructure consultant in NSG etc.

TRUSTWORTHY COMPUTING - SECURITY CENTERS

Protecting Microsoft customers throughout the entire life cycle(in development, deployment and operations)

Microsoft Security

Engineering Center (MSEC)

Security Assurance

Security Science

SDL

Microsoft Malware Protection Center

(MMPC)ReleaseRelease

Product Life CycleProduct Life Cycle

Microsoft Security

Response Center(MSRC)Ecosystem

StrategyMSRC Ops

MSRC Engineering

ConceptionConception

Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.

THE SOFTWARE VULNERABILITY ASYMMETRY PROBLEM

Defender must fix all vulnerabilities in all software – attacker wins by finding and exploiting just one vulnerability

Threats change over time – state-of-the-art in vulnerability finding and attack techniques changes over time

Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle

EXPLOIT ECONOMICS

5

Gains per use

XOpportunities to use

Cost to acquire vulnerability

+Cost to weaponize

Attacker Return -=

Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable

EXPLOIT ECONOMICS

We can decrease Attacker Return if we are able to…Increase attacker investment required to find usable vulnerabilities• Remove entire classes of vulnerabilities where possible• Focus on automation to scale human efforts

Increase attacker investment required to write reliable exploits• Build mitigations that add brittleness• Make exploits impossible to write completely reliably

Decrease attacker’s opportunity to recover their investment• Shrink window of vulnerability• Fewer opportunities via artificial diversity• Enable rapid detection & suppression of exploit usage

INCREASE ATTACKER INVESTMENT REQUIRED TO FIND VULNERABILITIES

Exploit Economics Strategy – Step 1

7

EMBEDDING SECURITY INTO SOFTWARE AND CULTURE

Tactics for Vulnerability ReductionRemove entire classes of vulnerabilities • Security Tooling• Additional product features

Remove all currently findable vulnerabilities• Complete automation of tooling

• SDL tools, Threat Modeling tool• Fuzzing toolsets + ways to streamline & improve triage• Tool overlays to increase signal-to-noise and focus attention on the right code

• Verification & enforcement• Audit individual tool usage via process tools• Process tools required for SDL signoff - policy enforcement

Ongoing Process Improvements

PREVENT RELIABLE EXPLOITATION OF VULNERABILITIES

Exploit Economics Strategy – Step 2

EMBEDDING SECURITY INTO SOFTWARE AND CULTURE

Tactics to Frustrate ExploitsReduce the surface we have to defend• Attack surface reduction• Design additional product mitigations

Make remaining vulnerabilities difficult or impossible to exploit• Build mitigations that add exploit brittleness

Ongoing Process Improvements

DIGITAL COUNTERMEASURES

• Improve system survivability against exploitation of unknown vulnerabilities•Three goals:• Increase attacker requirements – e.g. must be

authenticated, local subnet only• Deterrent – no economically reliable exploit

exists•Mitigation – Break 100% reliable universal

exploits•Often must be combined together•Even when successful, the result is still impactful to the user 11

MITIGATION APPROACHES

• Utilize secrets such that guessing impairs exploit reliability• /GS: Protect stack buffers by checking random cookies

placed between them and control structures• Function Pointer Encoding

12

Utilize Knowledge Deficits

Artificial Diversity

Enforce Invariants

ASLR: Address Space Layout Randomization

Data Execute Protection (DEP)Heap & pool metadata checks SafeSEH / SEH Overwrite Protection (SEHOP)

MEMORY SAFETY MITIGATIONS ROADMAP

13

Stack

Heap / Pool

Executable Code

/GS 1.0 /GS 1.1

Heap 1.0

DEP ASLR DEP IE8

20072006200520042003

/GS 2.0

2008

/NXCOMPAT

Heap 2.0

HeapTerm

EH4 SEHOP /GS 3.0

DEP+ATL

Safe Unlinking

2009

DEP O14

2010 2011

SEHOPIE9

ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET) Offers security mitigations for most

software Old applications Third party software Line of business applications

Brings newer security mitigations to older platforms

Provides exclusive security mitigations to block current exploit techniques

EVOLUTION OF EMET MITIGATIONSMitigations in v1.0• Dynamic DEP• SEHOP• NULL Page protection

Mitigations in v2.0• Mandatory ASLR• EAT Access Filtering• Heap Spray Allocation

Mitigations in v3.0• 3 Protection Profiles• ADMX Files for Group

Policy Management• EMET Notifier (alerts

user when mitigations were enforced)

Mitigations in v3.5• Anti-ROP mitigations:

• Caller Checks• Exec Flow Simulation

• Stack Pivot Mitigation• Load Library Checks• Memory Protection Checks

MS12-037 – INTERNET EXPLORER CVE-2012-1875 (SAME ID)• 0-day vulnerability being used in limited targeted

attacks prior to bulletin release.• Vulnerability about as bad as it gets!• Remote Code Exec vulnerability in all versions of IE

(at the time) and exploitable via a web page• Fixed by MS12-037 - http://

technet.microsoft.com/en-us/security/bulletin/ms12-037• Standard mitigations in the bulletin were• Don’t open Office documents• Killbit the AX control in IE

EMET VS. MS12-037 - CVE-2012-1875 (SAME ID)

CALL TO ACTION

• Follow the Security Research and Defense bloghttp://blogs.technet.com/b/srd/ • Evaluate and Deploy EMET v3.5 or newer • Protect critical applications such as Internet Explorer, Firefox, Office,

Adobe Acrobat etc

• Monitor for EMET related events in the event log using System Center or other Enterprise monitoring software

DEPLOYMENT AND MANAGEMENT VIA GROUP POLICY