Microsoft today launched a security toolkit preview that includes anti-exploit technologies created by one of the three finalists in the company's $250,000 BlueHat Prize contest.
Enhanced Mitigation Experience Toolkit (EMET) 3.5 features new defenses inspired by finalist Ivan Fratric, a researcher at the University of Zagreb in Croatia. The other finalists are Jared DeMott, a security researcher employed by Florida-based Harris Corp., a major defense and aerospace contractor, and Vasilis Pappas, a Ph.D. student at Columbia University.
Microsoft will announce the winners late Thursday at the Black Hat security conference, which kicked off today in Las Vegas and wraps up tomorrow.
"If nothing else the EMET update shows they are committed to taking these ideas and acting on them," said Andrew Storms, director of security operations at nCircle Security, in a Wednesday interview conducted via instant messaging.
EMET, designed for enterprise IT workers and advanced users, lets them manually switch on Windows anti-exploit defenses, such as DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications.
The toolkit is often used to harden older programs and has also been recommended by Microsoft as stop-gap protection. In March 2011, for example, Microsoft told Office customers to run EMET to fend off zero-day attacks until Adobe patched a bug in Flash.
The new EMET, which Microsoft dubbed a "technology preview" to hammer home that the utility wasn't ready for production use, includes five new settings designed to stymie "return-oriented programming" (ROP), an exploit-building technique often used to sidestep DEP.
Many advanced exploits relay on ROP to do their tricks, and the technique has been called the "most pressing attack vector" now facing Windows.
For his BlueHat Prize submission, Fratric created "ROPGuard," a technology that checks each critical function call to determine if it's legitimate.
In an interview last month, Fratric explained ROPGuard.
"Unless [the attacker] wants the attack to stay confined in the current process, [he or she] will need to call some 'special' functions to leverage the attack," Fratric said. "The attacker will need to call these functions from the ROP code, either directly or indirectly, and that makes these functions an ideal place to check if the attack is taking place or not."
Microsoft based the anti-ROP settings in EMET on Fratric's work.
"Ivan's idea was the one that could be mitigated the fastest," said Mike Reavey, senior director of the Microsoft Security Response Center (MSRC), in an interview. "His was very practical."
Reavey cautioned that Fratric was not necessarily the winner of the BlueHat Prize, even though Microsoft chose his technology to deploy first.
Fratric seconded that. "The ease or difficulty of integrating the technology into existing tools does not imply that it is any more or less effective," Fratric said in an email reply to questions today. "According to the criteria that the BlueHat Prize judges used, only 30% of the score was generated based on how 'practical and functional' the entry was. The remaining 70% of the score was given on the basis of 'robustness' and 'impact.'"
But Fratric was still pleased to see Microsoft use his ROPGuard concept in EMET.
"I'm absolutely thrilled," he said. "Building ROPGuard was interesting and it being selected as one of the top three entries in the contest is great, but it's even greater to see an interest to integrate this technology into an actual product and to bring it to the users."
Fratric called EMET the "right first step" in baking anti-ROP technologies like ROPGuard into Windows.
Reavey repeated Microsoft's earlier comment that ROPGuard -- or the technologies crafted by the other finalists, both who also focused on ROP -- would not appear in Windows 8, the upgrade set to launch Oct. 26. "The timing is too tight for Windows 8," said Reavey. "But we we'll continue to look at these ideas."