Sheep and Sheepdogs: Employing EMET for Application Security

all right I guess we can uh go ahead and get started now um or I should really say we uh should continue since we started about 30 minutes ago um is there anybody here who did not come to TJ's talk in this room okay so that's good it was really boring you did not miss anything um so he did Cover a lot of the stuff that I'm going to cover so I'm going to speed through some certain parts U maybe touch on a couple things if anybody has any questions feel free to shout them out this is not super formal so just throw it out there if you got it I Am David Cory there's my contact information I

got a couple CS um that is not actually me I've been doing security engineering and systems engineering for about 12 years for commercial and now I guess the last five has been defense so I've got both sides of the both ends of the spectrum on how things are done um or not done um so moving right along the Microsoft enhanced mitigation experience toolkit I hate saying it it's a terrible name um but it is one of the most undervalued utilities for endpoint protection in a Windows domain that I have come across in a long long time most people did not even really start hearing about it until you know maybe they were putting out version

3.0 now they're on 4.0 came out just a couple months ago and it's still not getting a lot of press which is odd for Microsoft since usually they throw a lot of marketing money in anything that's doing well so I will I usually give this talk for less or the last time I gave this talk it was for Less sophisticated Security Professionals so just a quick background is since the dawn of time we've been given firewalls to protect our assets our our flock um and for a long time it was very successful and that was all we needed to secure our networks you just put a a little flaming brick wall on your Vio diagram and then we got really Advanced

then you had two flaming brick walls and as the fir walls got better the attacks got better and it became a war a war of escalation until attacks were just completely by bypassing firewalls and going straight for members of the flock and it's it's pretty safe to say these days that our flock is difficult enough to control on their own without any outside

for a long time they were given the run of the pasture they could do anything they needed operations and functionality was Paramount to everything else and sooner or later one of them would jump off the cliff so a lot of people worked on these problems for a long time and we took the exact same strategy as we did with actual sheet we started putting up fences and the fences are very strong mechanisms for controlling application behavior for inappropriate behavior prohibited Behavior or anything that we just don't want to happen and if anybody would like me to cover these again feel free to shout it out um the only one I'm going to cover is I'm

pronouncing it seaw but I don't really know if that's proper the last two were covered very extensively when he was talking so D data execution prevention aslr address based layout randomization and secure exception handling overwrite protection are the fences are the three primary fences used to control applications in Microsoft environments so SE HW structured exception handling override protection is a mechanism used to control where program failures progress next so structured exception handling is a method in Microsoft programming used to say when this program fails I want to tell it to go here next so that we can fail safely and not blow up the entire system so if you look at the the all of the exploits

in the Met exploit framework right now about 20% of of them use SE to direct the flow of execution through forced program failures so SE hop blocks that and it's similar to the way aslr randomizes the layout of memory but it randomizes the function addresses for the exception handling methods inside of windows so it's just one more fence and they work pretty well but once all the fences were put up what happened next the pen testers came in sometimes they're authorized and sometimes they're not right so as soon as all of these protections were created the bypasses were created probably less than 5 minutes later um you can go on the internet and every single one of those you can find very

easy bypass method for getting around it and so Microsoft start started doing some research they put out the security development life cycle progress report they took um they took 41 consumer applications very large with millions of millions of users over a period of a couple years and started looking at what protections were being used in these applications to use def fenses use the operating system methods that were already in place to protect the endpoints and D is okay that's I think this say 71% aslr is 31 4% 34.1% for those applications and I'm pretty much in the camp that anything that's partially enabled as a security feature is a waste of time and probably should not be

enabled at all um so what does that say for the way applications are being developed for large consumer applications it's not they're not using all the security features that are built into windows but what does that really say for all of the custom line of business applications that only have a few users but are critical to your business you could be a fortune whatever company with a development House of hundreds of developers and do you think they're going to fall into that category not enabled um so here's the uh here's the pop quiz question for my for my giveaway which is an awesome little lock pick set from fail what does it take to enable aslr

and D on a Windows application oh oh I know this one you have a blue shirt on you can't answer add compile time is the first time you can do it and you can use M and then is right so it's a compiler flag so see so I looked into a little bit you open up visual studio and it really is that simple randomized Base address default um data execution prevention default and then I think error reporting is the the seaw so those three click a couple check boxes recompile the application I'm not oversimplifying this at all do some testing maybe and you now have these Protections in enabled but it's obviously not being done because the

developers are not being pushed to use security mechanisms that doesn't sell software so sorry so what the people at the Microsoft uh security response division got the idea that we need something a little bit smarter than a fence we needed something that could actively seek out inappropriate behavior and that is the Sheep so that brings us to back to Microsoft emit Microsoft emit is a very small mic or net 4.0 executable that is it's it's not a blacklist so it doesn't require signatures and constant updating it doesn't it doesn't actively block anything in your system and it's it's not really a white list because you don't you're not making a big list of things that are approved for use so it

doesn't it doesn't actively you know block any kind of connections or do anything like that it's a just good programming mechanisms it's just forcing the Windows operating system to use forcing the applications to use the built-in protections of the Windows operating system so you could say the same thing about a lot of the the host Bas IDs IPS systems what about maybe I know there's a lot of Defense people here so what about hpss um doesn't that do the exact same thing and the difference is the difference is those are Blacklist and wh list based and they're extremely complex um anyone who has tackled the squeal install process would have a very difficult time upgrading

hbss um it's a monster and nobody shout anything out don't say any names but how many times have you looked at an hbss deployment where things were installed and it wasn't actually doing anything it was it was a check box yep we got hbss so secure yeah exactly so it's it's installed they they made it through the install phase so um so what is what is the the counter example like for EMT so just to walk through a quick installation because I want you I want everybody to be able to take something back to their jobs on Monday 7: a.m. and get things started so it's just like every other Microsoft installation you di in I

agree next next next next next next next and then you have to make a decision um for the purposes of doing it on your home stuff just just use the recommended settings everything is very easy to back out so so if the recommended settings to work for you or if you feel like you know just leaving it blank for now it's very easy to change once the install is done you have the EMT service running and you have the EMT guey installed so you launch the guey from the start menu and this is the first screen you look at this is your list of running processes and on a brand new system nothing is enabled for Emit and you may

or may not have some stuff going on for the system status so as you start poking around you see that the system status is whatever your domain or your workstation is already set at and this is where you enable things on a systemwide basis this is pushed out no different than a g setting or a local security policy that's exactly what it is a register key if people are still doing that and this doesn't affect any applications that are not compiled for aslr not compiled for D or even worse specifically are using mechanisms that require those to not be available if we back up and look at the the list of running applications then you can go

in select one and we have have just a slew of available protections for Internet Explorer all you need to do to protect Internet Explorer for all these protections check three little check boxes and click okay and when you do that all of those things that TJ was talking about in his talk are blocked because all of the protections on this work simultaneously anytime you have D or aslr enail or seaw if they're not running together they're not running everything with the bypass all the bypasses require some other mechanism to not be available in order to to bypass the attack to bypass the protection so especially de and aslr so you now have Internet Explorer protected

and um everybody's happy right but not really because we've built career on wanting to know how everything works so I think two other talks already have talked about shims um so if you missed one of those this is a mechanism used to tell a program to go somewhere else pretty much just like the attackers are doing but it's in a safe logical way so we can direct things away from where the attackers want them to be directed so in the case of EMT the import address table holds the addresses for all of the loaded dlls methods for operation so an attack is going to look at a loaded dll and say I want to execute or I want to use the the

register that is pointing to this function so the shim points to EMT first so EMT takes all of the the dll calls or all of the the system calls and and modifies them to a a safer version of the call for lack of really understanding it myself um so the shim just says you're not going to make unsafe calls now granted there have been by passes for EMT so it's going to continue to have a war of escalation but for the time being with emit 4.0 there are no M bypasses so an application with this shim running in it there's no way to make unsafe system calls through those loaded dlls and that works for

static and dynamically linked so you're not going to be bringing DLS in on already running systems and thinking that you're going to get around the protections of which there are many and a lot of can understand what they do specifically bottom up um so you'll notice that some of these these do not work on XP in 2003 and that's just something we're going to have to deal with but it shouldn't be a big deal because nobody uses those anymore and a lot of this stuff is built into Windows 8 and Server 2012 and in the in the defense World EMT is now a mandatory Stig check on Windows 8 and I guess eventually Server 2012 so

those are um they're here to stay you know um so all of these Pro all these protections are done simultaneously and that really just blocks everything TJ was talking about it's it's uh very simple and effective not much to say about it but there is one other very large feature that's not getting too much press in m 4.0 and that is the pki certificate p uh mechanism so if you have a default windows installed right now I think there's 18 trusted roots for certificates um I've looked through them I I recognize a couple of them but most of them I've never heard of um most of the stuff I do through my job goes all

through DOD Roots all the stuff I do at home probably uses one or two of The Trusted Roots nobody removes any of them because you don't really know what's going to happen um so if you follow security news you hear a lot about how pki is dying and in 5 years pki is going to be completely dead we better hurry up and find something quick or else we're all hosed so in the meantime what you can do with emit is you do certificate pinning you open up the guey and you tell you want a new trust Rule and for a site that you use for a site that you want to be a protect protected site you

import the certificates and you could do the root search and you could do the intermediate search but you say these are the these are the trusted roots for this website that I like so for bsides you would import maybe ver sign R CA and so you create a a trust rule a pinning rule once you do that you come back over to the other Tab and you tell the website that I want to go to is going to be pinned to that pinning Rule now you could you could make a match maybe you just say ver assign root CA and mix and match websites but for the purposes of this talk I didn't do that

so when you do that anytime your system tries to access that website it will not function if you get a certificate from a different rouca so why is that important anybody rout CA gets compromised that they can no longer issue a valid C for another site that they should not be issuing for your computer will not trust it correct if a if a root server gets compromised starts putting out bad CS or if someone at a the root CA in Kenya wants to make a little extra money and sends out bad Sears or if you're being man in the middle and you're getting a a self- sign certificate in your Java Java applet or you want to

uh just make sure that maybe you maybe you only want to use the dod roots or maybe you only want to use your local ocsp responder um it's just more tight control so you you limit the exposure on the pki side it's it's uh pretty powerful I haven't done too much with it just because it's it's kind of new and I don't do that much web stuff on my windows box but for large organizations where you have users that need to get out to sites that are typical Avenues of attack like Facebook you can you can do this and kind of mitigate between now and whenever we have PTI 2.0 so what does emit not do um there's not

too much bad news here because it's just a small application so there's not a lot that can go wrong um you do need to test your applications your custom applications before you put it in place just to make sure you're not going to blow anything up if you know go ahead and and roll it out to a subset of users but for for someone who does not have a comprehensive security team putting emit on your your 25 workstations is going to be a huge step forward for not getting compromised uh other than that it's not magic so so there there are programs that are written so poorly that they require you to not have aslr um and Emma

is just not going to not going to allow it so that's where you have to go back in and you exempt your one custom business application and you just keep it enabled on acrobat and Java and everything in office and Internet Explorer and Firefox Chrome some of these applications may not have their own protections through gpos um I don't think it's too far off to say that you know they're going to see their own attacks if you push if you push em to your system so the user installs say you push em and and include the Firefox control the user doesn't currently have Firefox or Chrome but then they install it will the emit rules then apply so the

question was if you have emit pushed out with a a rule that turns on the protections for Firefox or Chrome user does not currently have those installed but then does later will the protection apply and the answer is yes because it goes it applies through the currently running process it's it doesn't do anything at install time it doesn't uh so you can have emit you can have emit rules for software that's not installed on every system correct I can have one Global emit deployment and whatever subet of applications I have on my system will then be subject to those correct yep and speaking of deployment um it is deployed and packaged just like everything else in your Enterprise maybe

you use uh you know gpos to push things out or maybe you have uh I can't remember the name of the the big package manager SC yeah scum um or maybe you just have the intern run around to 5,000 desktops it doesn't require a server infrastructure or any kind of any kind of care and feeding um other than a very little bit of management it's managed through gpos they have a custom asdm file where you can pull in the GP settings you know just set up some an active directory group for Emit protected computers and roll it out um the Jonathan Nest from the Microsoft security Response Center um I heard him talk on this on paul.com and he was

saying that they are taking all the feedback that they get on EMT and rolling those protections into the new updates in Windows 8 and Server 2012 so this is really the test bed for all of their security protection mechanisms you might expect to see some kind of certificate pinning coming in in maybe Windows 8 you know service pack one um and that's just a complete guess but it is a they they do watch it it's something that they you know the security team is very proud of even though Microsoft as a whole may not be pushing it there is a support Forum on the techet section the subscription is going away but the techet website is not

so if you don't have an active Windows support contract um many of us probably do but if you don't you can just go on the the TechNet form and get help from emit um and that's really about it it's such a small application it's very so very simple that it doesn't need a lot of explanation especially after two people have given talks on it and half and half an audience um so if anybody has any questions feel free to to throw them out um otherwise what kind of problem what kind of logging does it do okay so it it logs to the window a vent lock and it does a um a cyst tray pop up

so the the question in my mind that I have not yet sufficiently answered is what happens to some of these protections that are proactive rather than reactive if if it blocks a an aslr based attack where the thing that the attack was looking for just isn't there does it have an event log that says somebody was looking for a thing and and it wasn't there I don't I don't really know yet um which which event log in the app event or sis event um I can go back and look in a minute but yeah I think it's I think it's application I grab all three so yeah it's not security I know that so it's either system or

application yeah uh what problems have you seen with it so I threw a lot of attacks at it um it's the application either fails spectacularly like you open a crafted PDF and acrobat just blows up or it just silently blocks it and you never knew anything existed like if you if you're going an ie to a um you know a metas sploit hosted or like a set hosted web page you download an encoded executable IE just sits there and does nothing so um there what about legitimate have you seen problems with legitimate anything I have not seen people deploy it on applications that were Legacy and old and crotchety people do it people the people

that I've seen do it acrobat Java office Internet Explorer the browsers the main points of Entry um the people that don't do any Security on the old Legacy applications aren't going to do this either and um you've managed it through group policy yes it it's pretty simple no problem yeah I mean if you do any any GP work at all it's it's absolutely no different it's the same as like an office GP where you import the asdm template and you just have to know where to go to get the the new drop in boxes when you deployed on those popular applications do you just go full more like check boxes across I have um your

mileage may vary but I those are the ones that have been tested the most um so those are the ones that going to have the most people screaming so um concerns me when it when it blows up it only logs locally is there any facility to capture that as an alert message up somewhere um I don't think there's any I know there's not any CIS logging um and I don't think there's any emailing mechanisms although I could look it up in just a second to let you know is there any move to to streamline into system center as part of config manager rolling I don't know it's a very good question um as far as as far as

I've seen across the board Microsoft's strategy is pretty much event log um so I don't know the answer would this this you may not let me answer this but certain certain attacks use something called process hollowing are you familiar with the Techni well process holl basically you load something like load .exe and then you just basically take its code out and put your code in place of it so it looks like Internet Explorer is running when you're really running your code I don't I'm try to think if this would catch so I think that would be similar to just loading dynamically linked dlls um if the process and I guess I don't know if emit

protects based on the process ID or on the process executable name so if a if a running process is been hollowed if Windows still thinks it's the same running process then I would assume that EMT still thinks it's the same running process and would apply the protections right but I I really couldn't yeah most of these protections are memory protection like memory protections correct if somebody's already loading Dynamic D since you're Internet Explorer you probably got em it's not going to do anything you probably already have problems yeah now you're post exploitation with EMT 3.5 there was an EMT bypass where it was it just shut it off completely um and the guy who did it I think it was for one of

Microsoft's uh bug Bing programs but it was you know it was like a pearl oneliner shut up so so they are aware of problems but and and I think it was um it was just a really old dll you just you know Ed this old D to attack the emit directly and it was done so anyone else nothing well that's all I got thanks

everybody great job David I believe that's our last talk for the day so I just wanted to say thanks again for everybody coming out today it's been a great day thank you thank you thank you did you guys have fun something did you do okay for our first bides do it again next year be here all right we'll see you then thanks