The Enhanced Mitigation Experience Toolkit 2.0

Hi Folks,
today, from a Quality INN in Monterey I wanna point out the new Microsoft's Buffer Overflow mitigation tool called: EMET 2.0.

For those who may be unfamiliar with the tool, EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications. This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited. By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products. In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.

EMET2.0 provides:

SEHOP (Structure Exception Handler Overwrite Protection ). Without SEHOP an attacker can overwrite, with a controlled value, the handler pointer of an exception record on the stack.

DEP (Dynamic Data Execution Prevention). Without DEP an attacker can attempt to exploit a vulnerability by jumping to shellcode at a memory location where attacker controlled data resides such as the heap or stack.

HAP (Heapspray Allocation Prevention). When an exploit runs, it often cannot be sure of the address where its shellcode resides and must guess when taking control of the instruction pointer. To increase the odds of success, most exploits now use heapspray techniques to place copies of their shellcode at as many memory locations as possible. HAP prevents this hunting technique.

NPA (Null Page Allocation).This is similar technology to the heap spray allocation, but designed to prevent potential null dereference issues in user mode.

Last but not least ASLR (Address Space Layout Randomization) . Without ASLR attackers can take advantage of a predictable mapping of those dlls and could use them in order to bypass DEP though a known technique called return oriented programming (ROP).

All these "patches" against BOF attack are very good tries, but do they really stop attackers to compromise systems ? Well, the answer it's easy... nope. But at least having EMET2.0 installed and configured on your box it's a good way to block poor implemented (or not so sofisticate) BOF attacks.