Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Published byTitus Forse Modified over 9 years ago

Similar presentations

Presentation on theme: "Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation."— Presentation transcript:

1 Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation

2 Trustworthy Computing Andrew Roths Senior Security Development Lead at MSRC Engineering – React Fermin J. Serna - @fjserna Security Software Engineer at MSRC Engineering – React

3 Trustworthy Computing EMET introduction Overview of previous version 1.0.2 What’s new in the latest version 2.0 In depth look at the mitigations Real case demo How you can benefit

4 Trustworthy Computing Protect software against unknown vulnerabilities Break most exploits for existing, known vulnerabilities

5 Trustworthy Computing Free tool available for download which helps: Thwart targeted attacks Protect against unfixed vulnerabilities (including 0-days)

6 Trustworthy Computing Offers security mitigations for most software Old applications Third party software Line of business applications Brings newer security mitigations to older platforms Provides exclusive security mitigations to block current exploit techniques Security mitigation: technology that inhibits the ability to exploit software vulnerabilities

7 Trustworthy Computing

8 CVE 2010-0249 (the “Aurora” vulnerability) Addressed by MS10-002 EMET can help prevent successful exploitation on systems lacking the update We recommend customers download the update using Microsoft Update

9 Trustworthy Computing “Testing Microsoft's new EMET hardening tool. So far it has prevented my SEH attacks 10 out of 10 times. Is this really from Microsoft??” JimmyRay_Purser “Testing Microsoft's new EMET hardening tool. So far it has prevented my SEH attacks 10 out of 10 times. Is this really from Microsoft??” JimmyRay_Purser

10 Trustworthy Computing

11

12

13 6 mitigations now available with version 2.0 Some of them are also available in certain versions of Windows Others are unique to EMET

14 Trustworthy Computing Stack Next Handler Next Handler 0xfffffff Handler Buffer Buffer Function Stack Frames 0x0c0c0c0c Final Handler EMET Off EMET On

15 Trustworthy Computing

16 Attacker Controlled Data Program Read Write Code Execution Read Write Code Execution Read Write Code Execution EMET Off EMET On

17 Trustworthy Computing 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 01010101 Code Data Victim Process Attacker EMET Allocated EMET Off EMET On

18 Trustworthy Computing

19 foo.dll EMET Allocated app.exe user32.dll kernel32.dll ntdll.dll Boot 1 app.exe user32.dll kernel32.dll ntdll.dll Boot 2 app.exe user32.dll kernel32.dll ntdll.dll Boot 3 process address space foo.dll EMET Off EMET On

20 Trustworthy Computing

21 Attacks how shellcode finds APIs First some backgound… TEB, PEB and LDR structures Portable Executable (PE) File structure

22 Trustworthy Computing TEB: Thread Environment Block Accessible through fs register At offset 0x30 there is a pointer to the PEB

23 Trustworthy Computing PEB: Process Environment Block At offset 0x0C there is a pointer to the LDR sturctures

24 Trustworthy Computing LDR structures: Three linked list of loaded modules for current process

25 Trustworthy Computing

26 Export Address Table

27 Trustworthy Computing 0x0C LDR pointer Using Metasploit as an example fs:0 TEB pointer Shellcode 0x30 PEB pointer TEB PEB Module 1 Look through EAT for target functions Module 2 Look through EAT for target functions Module 3 Look through EAT for target functions Module List

28 Trustworthy Computing So how do we block this shellcode? We place a data breakpoint on the pointer to the AddressOfFunctions array in the EAT When it is hit we check if the instruction pointer (EIP) is running from inside a module If it is not, we crash the process

29 Trustworthy Computing

30

31 Free tool Protects against the exploitation of vulnerabilities in software Known vulnerabilities Unknown vulnerabilities Can be applied to almost any arbitrary process Doesn’t matter who wrote it Doesn’t matter when it was written

32 Trustworthy Computing Visit our Blog! http://blogs.technet.com/b/srd Latest news on EMET and download links Feedback welcome switech@microsoft.com Special thanks to Matt Miller for his contributions to EMET

33 Trustworthy Computing  Be on the front lines of Microsoft’s battle with 0-day security vulnerabilities, hackers, and active cyber-attacks.  Get your hands dirty exploring software and finding vulnerabilities. https://careers.microsoft.com/ (Search for Trustworthy Computing)

34 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation."

Similar presentations

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Preface Demo A Quick Thank You How Did We Do It?

Preface Demo A Quick Thank You How Did We Do It?
Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)

Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)
Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Feature: Reprint Outstanding Transactions Report © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product.

Feature: Reprint Outstanding Transactions Report © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product.
Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
demo Default WANGPSLookup Default WANGPS.

demo Default WANGPSLookup Default WANGPS.
Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
Co- location Mass Market Managed Hosting ISV Hosting.

Co- location Mass Market Managed Hosting ISV Hosting.
Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.

Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.
www.sitemasher.com Multitenant Model Request/Response General Model.

Multitenant Model Request/Response General Model.
Feature: Purchase Order Prepayments II © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Purchase Order Prepayments II © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.
Announcing Demo Announcing.

Announcing Demo Announcing.
Feature: OLE Notes Migration Utility

Feature: OLE Notes Migration Utility
Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Similar presentations

Ads by Google