Microsoft beefs up anti-exploit tool with tech from $250K contest finalist
EMET 3.5 includes settings inspired by BlueHat Prize finalist Ivan Fratric
Computerworld - Microsoft today launched a security toolkit preview that includes anti-exploit technologies created by one of the three finalists in the company's $250,000 BlueHat Prize contest.
Enhanced Mitigation Experience Toolkit (EMET) 3.5 features new defenses inspired by finalist Ivan Fratric, a researcher at the University of Zagreb in Croatia. The other finalists are Jared DeMott, a security researcher employed by Florida-based Harris Corp., a major defense and aerospace contractor, and Vasilis Pappas, a Ph.D. student at Columbia University.
Microsoft will announce the winners late Thursday at the Black Hat security conference, which kicked off today in Las Vegas and wraps up tomorrow.
"If nothing else the EMET update shows they are committed to taking these ideas and acting on them," said Andrew Storms, director of security operations at nCircle Security, in a Wednesday interview conducted via instant messaging.
EMET, designed for enterprise IT workers and advanced users, lets them manually switch on Windows anti-exploit defenses, such as DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications.
The toolkit is often used to harden older programs and has also been recommended by Microsoft as stop-gap protection. In March 2011, for example, Microsoft told Office customers to run EMET to fend off zero-day attacks until Adobe patched a bug in Flash.
The new EMET, which Microsoft dubbed a "technology preview" to hammer home that the utility wasn't ready for production use, includes five new settings designed to stymie "return-oriented programming" (ROP), an exploit-building technique often used to sidestep DEP.
Many advanced exploits relay on ROP to do their tricks, and the technique has been called the "most pressing attack vector" now facing Windows.
For his BlueHat Prize submission, Fratric created "ROPGuard," a technology that checks each critical function call to determine if it's legitimate.
In an interview last month, Fratric explained ROPGuard.
"Unless [the attacker] wants the attack to stay confined in the current process, [he or she] will need to call some 'special' functions to leverage the attack," Fratric said. "The attacker will need to call these functions from the ROP code, either directly or indirectly, and that makes these functions an ideal place to check if the attack is taking place or not."
Microsoft based the anti-ROP settings in EMET on Fratric's work.
"Ivan's idea was the one that could be mitigated the fastest," said Mike Reavey, senior director of the Microsoft Security Response Center (MSRC), in an interview. "His was very practical."
Reavey cautioned that Fratric was not necessarily the winner of the BlueHat Prize, even though Microsoft chose his technology to deploy first.
Fratric seconded that. "The ease or difficulty of integrating the technology into existing tools does not imply that it is any more or less effective," Fratric said in an email reply to questions today. "According to the criteria that the BlueHat Prize judges used, only 30% of the score was generated based on how 'practical and functional' the entry was. The remaining 70% of the score was given on the basis of 'robustness' and 'impact.'"
But Fratric was still pleased to see Microsoft use his ROPGuard concept in EMET.
"I'm absolutely thrilled," he said. "Building ROPGuard was interesting and it being selected as one of the top three entries in the contest is great, but it's even greater to see an interest to integrate this technology into an actual product and to bring it to the users."
Fratric called EMET the "right first step" in baking anti-ROP technologies like ROPGuard into Windows.
Reavey repeated Microsoft's earlier comment that ROPGuard -- or the technologies crafted by the other finalists, both who also focused on ROP -- would not appear in Windows 8, the upgrade set to launch Oct. 26. "The timing is too tight for Windows 8," said Reavey. "But we we'll continue to look at these ideas."
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!