« Attacking Magstripe Gift Cards | Main | Amazon EC2 cloud computing for password/crypto cracking »

Microsoft's Enhanced Mitigation Evaluation Toolkit adds protection to processes

Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling).


This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques.  Take a look at the following SRD blog post for more information: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx.  With this protection in place, the msvidctl exploit we already blogged about (http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx) would have failed. 

Dynamic DEP

Data Execution Prevention (DEP) is a memory protection mitigation that marks portions of a process’ memory non-executable.  This makes it more difficult to an attacker to exploit memory corruption vulnerabilities.  For more information on what DEP is and how it works, take a look at the two part SRD blog available at http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx and http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx.

 NULL page allocation

This blocks attackers from being able to take advantage of NULL dereferences in user mode.  It functions by allocating the first page of memory before the program starts.  Right now the exploitation techniques for these types of vulnerabilities are only theoretical.  However, this mitigation will protect you even if that changes.  Please note this protection does not impact kernel mode NULL dereferences as the current version of EMET only supports user mode mitigations. 

 Heap spray allocation

Heap spraying is an attack technique that involves filling a process’ heap with specially crafted content (typically including shellcode) to aid in exploitation.  Right now, many attackers rely on their content being placed at a common set of memory addresses. This mitigation is designed to pre-allocate those memory addresses and thus block these common attacks.  Please note that it only aims to break current exploit that take advantage of these common addresses.  It is not a general mitigation for the larger heap spraying attack.  That said, if attackers do change the addresses they use, EMET users can change the addresses

Certainly interesting stuff from MS.

Read more: http://blogs.technet.com/srd/archive/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit.aspx
Download: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4a2346ac-b772-4d40-a750-9046542f343d


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!