Bypassing EMET 4.1
We at Bromium Labs regularly do security research on a variety of computer threats and protections. EMET (Enhanced Mitigation Experience Toolkit) is a free download provided by Microsoft to enhance the security of an endpoint PC. EMET helps protects userland (non-kernel) applications.
In particular, EMET adds special protections (for 32bit processes only) against a relatively new hacker technique known as ROP (return oriented programming). ROP based exploitation has been rampant in malware to bypass the ALSR+DEP protections. Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques. EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1. And thus, EMET particularly excels for older platforms like Windows XP.
Since EMET is growing in popularity, it is important to learn about its limitations, so security conscious users can create a better defense in depth strategy. So we decided to investigate EMET’s strengths and weaknesses. Bromium Labs research was focused on further enhancing EMET-like exploit mitigation tools to better protect against future exploitation vectors.
We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit). But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET. We provide our full technical whitepaper here: [Bypassing EMET 4.1]. We provided our research to Microsoft before speaking about these problems publically. We also provided recommendations to upgrade the protections where possible.
The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection. This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there’s no “higher” ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use.
Thank you to so many different people: Internal folks at Bromium for much help and support. External folks like Microsoft for working well with us when we submitted our EMET vulnerabilities to them. They’ve even offered to recognize us in the next (5.0) release of EMET. Thx!
I trust you’ll enjoy reading the full whitepaper detailing our research. Also, if you can, join me at BSidesSF 2014, on February 24 at 10 a.m. PT, to hear about our research live. And if you can’t, I’ve received multiple invites to speak on this matter at other conferences as well, so hopefully I’ll see you around this year.