Microsoft Enhanced Mitigation Experience Toolkit (EMET) is a piece of software installed on the operating system and it makes it very difficult to exploit a vulnerability on a system or software. It provides the capability of preventing different exploitation techniques on the operating system or software level when security patch for the faulty software is not released. The benefits of using EMET are as follows:
- It is very easy to use and does not include any complicated processes.
- In order to prevent an operating system or software from exploitation, there is no need for the source code of the software and all it takes is to install and configure EMET before or after the faulty software is installed.
- EMET can be configured for all the operating system components, processes and drivers and also individual applications and softwares installed on the operating system.
- It can also work with legacy software and applications that exist in an organization’s infrastructure and cannot be easily phased out.
There are two types of settings on EMET which can be configured to provide mitigation:
- System Settings: These settings will apply to the whole operating system and its components and drivers.
- Application Settings: These settings will apply to specific applications installed on the operating system.
There are three different types of mitigation techniques that can be configured at this level:
Dynamic Data Execution Prevention (DEP)
DEP will prevent the execution of code in those parts of the memory not labeled as executable. This feature which has been around since Windows XP SP2 will prevent such execution using the capability of CPU to enforce “No Execute” or “Execute Disable Bit” for a specific page in memory. There are four configuration modes for DEP:
- Disabled: In this mode, DEP is by default disabled for all processes and applications.
- Application Opt In: In this mode, DEP is enabled for processes and applications that are manually set to use it.
- Application Opt Out: In this mode, DEP is enabled for all processes and applications except for the ones which are manually set not to use it.
- Always On: In this mode, DEP is always enabled for all the processes and applications regardless of whether they are compatible with DEP or not.
Structure Exception Handler Overwrite protection (SEHOP)
The exception handler function pointer can be overwritten by an attacker. This means an attacker can run malicious codes by giving control to EstablisherFrame that the exception dispatcher passes as the second parameter when an exception handler is called. The address of the exception registration record is controlled by attacker and held by the EstablisherFrame. EMET will do a validation of the exception record chain before an exception handler is called. If there is a problem with the chain, the process will be stopped by EMET before any handler is called.
Mandatory Address Space Layout Randomization (ASLR)
Hackers usually make guesses about the address space layout of a process when coding an exploit program for a certain software vulnerability. For instance, they will assume that a specific part of the software will be loaded at an address and that readable/writable memory address will be the same on all PCs. ASLR helps to make the address space layout of a process unknown to a hacker who only has remote access to the machine. This will stop the hacker from placing their own malicious code in loaded parts of the software. For SEHOP and ASLR, there are only two modes of configuration:
- Application Opt In: In this mode, SEHOP and ASLR are enabled for processes and applications that are manually set to use it.
- Application Opt Out: In this mode, SEHOP and ASLR are enabled for all processes and applications except for the ones which are manually set not to use it.
Using configuration profiles for system settings, you can apply certain default settings for the three configuration modes. There are two configuration profiles with details as follow:
- Maximum Security Settings: In this profile, the configuration modes are set to the following:
- DEP: Always On
- SEHOP: Application Opt Out
- ASLR: Application Opt I
- Recommended Security Settings: In this profile, the configuration modes are set to the following:
- DEP: Application Opt In
- SEHOP: Application Opt In
- ASLR: Application Opt In
There are seven types of exploitation mitigation techniques that can be prevented per application on EMET:
- Dynamic Data Execution Prevention (DEP): Systems can be easily exploited if an intruder can overflow the stack and access a specific memory location to execute commands. The memory addresses in the stack marked as executable can be used maliciously by an attacker to execute codes and gain even full access to the system. EMET will use DEP to mark the stack as non-executable and it will be no more possible to run malicious codes from these regions in the memory.
- Structure Exception Handler Overwrite protection (SEHOP): This mitigation technique was explained in the system settings section.
- NullPage Allocation: Using this mitigation technique the first memory page is occupied before the program is started and therefore attackers can no more use NULL references.
- HeapSpray Protection: HeapSpray is a technique to overwrite in-memory data. It works with putting data into specific parts of the memory so that luckily some useful code is placed into a memory space by the spray and is then executed. EMET will protect the system against this technique by pre-allocating common memory spaces.
- Export Address Table Address Filtering (EAF): This technique prevents access to the Export Address Table (EAT), which could possibly lead to read/write access depending on the code being called.
- Mandatory ASLR: Similar to ASLR which was described in the system settings section, Mandatory ASLR enforces ASLR for all the existing chapters regardless of whether they support it.
- BottomUpASLR: This has almost the same mechanism as the real ASLR, the only benefit is that the base address changes every time the program is run, in comparison with real ASLR which requires a reboot.
- Export Address Table Access Filtering Plus (EAF+): The EAF+ mitigation is an extension of EAF that can be used with or without EAF itself. Listed below are the actions performed by this mitigation technique:
- Checks if the stack register is within the permitted boundaries
- Checks for differences between the stack and frame pointer registers
- Detects any attempt to export table pointers of KERNEL32, NTDLL and KERNELBASE
- Detects read attempts on the MZ/PE header of specific chapters
- Bottom-up randomization: Using this mitigation technique, the base address of bottom-up allocations is randomized. This only works once EMET starts up this type of protection and it does not work for older allocations
- ROP mitigations: Return Oriented Programming (ROP) techniques can be mitigated using different methods by EMET. Attackers use ROP to exploit the system when other mitigation techniques are preventing other types of exploitation. This attack is performed by using snippets of code which are already available in the memory region of the target application. The following is a high-level description of the available ROP mitigations. The ROP mitigation techniques provided by EMET are available and applicable to 32-bit, and only some of them are available and applicable to 64-bit processes.
- Load library checks: Access to LoadLibrary API is monitored using EMET and it stops loading libraries from UNC path. This technique can be disabled for specific applications which require access to DLLs using UNC paths.
- Memory protection checks: The stack area can be marked as non-executable using EMET and therefore shellcodes and ROP gadgets cannot use the stack to execute malicious commands. This is available for both 32 and 64 bit processes.
- Caller checks: EMET prefers a CALL instruction than a RET when reaching a critical function. This can help with stopping many ROP gadgets but this however is only available for 32 bit processes and may not be compatible with some applications.
- Simulate execution flow: detection of ROP gadgets is made possible using this mitigation technique. This technique may not be compatible with some applications and it is only available for 32 bit processes.
- Stack pivot: This technique will check whether the stack is pivoted and also checks if the stack register is available in specific APIs context structure. This technique works with most applications and is available for both 32 and 64 bit processes.
- Attack Surface Reduction (ASR): This technique reduces the attack surface in applications by blocking unnecessary chapters or parts of the application. For instance, EMET can prevent Microsoft Office applications from running Adobe Reader plugin and therefore blocking specific DLLs from loading for certain processes.
Enhanced Mitigation Experience Toolkit provides protection against man-in-the-middle attacks in the process of certificate chain trust validation when a user visits a website providing an SSL certificate. You can create pinning rules using EMET which validate the issued SSL certificate as well as the issuing Root Certificate Authority (CA) to ensure about their legitimacy.
When the user opens a website which provides an SSL certificate, EMET checks the subject name (CN) in the certificate with the website name configured in the pinning rules and in case there is a match, it checks the issuing Root CA mentioned in the SSL certificate with the Root CA selected by the user in the corresponding pinning rule and if there is a mismatch, it will reject the certificate and therefore block the connection to the website.
If you are interested in security and you want more of these detailed step-by-step guides, you could have a look at my recently published ebook by clicking on the book cover below: