Free tool from Microsoft hardens programs against attack
Microsoft has released a free tool for retroactively hardening applications against known attacks, without recompiling the program with a special compiler flag. The Enhanced Mitigation Evaluation Toolkit (EMET) allows developers and administrators to activate specific protection mechanisms in compiled binaries without requiring access to the source code. EMET is currently able to prevent or impede four attack techniques.
Structured Exception Handler Overwrite Protection (SEHOP) aims to prevent (structured) exception handlers (SEH) from being overwritten on the stack or in the data segment. In contrast to overwriting return addresses using buffer overflows, in this attack scenario attackers execute their code by misdirecting function pointers. Further information can be found in the article " A Heap of Risk - Buffer overflows on the heap and how they are exploited" on The H Security.
EMET impedes the currently popular attack method of heap spraying by simply allocating parts of the heap, thereby preventing an attacker from writing code to the desired location. Microsoft admits, however, that this does not offer complete protection and only defends against currently known attacks.
EMET purports to be able to defend against null page allocation, which can be exploited in conjunction with null pointer dereferencing. Programming errors can result in pointers pointing to null when being dereferenced. For function pointers, this means pointing to the (virtual) address 0, which is usually allocated to userland, allowing a user to execute code with kernel privileges. Microsoft claims that this threat is currently theoretical only, but Linux kernel and FreeBSD developers recently stumbled upon precisely this problem. The FreeBSD development team resolved this by using a new function to prevent users from mapping code to address 0.
Microsoft's tool can also be used to activate Dynamic DEP (DDEP) within applications. This allows data execution prevention to be activated and deactivated at runtime. The company introduced a new API Service Pack 1 for Vista, Service Pack 3 for Windows XP and Windows Server 2008 earlier this year. The motive for introducing DDEP is that there are still some applications whose modus operandi triggers data execution prevention. Consequently developers deactivate this function during compiling using linker options for their application. The result is that the entire application then runs without DEP and this represents a potential point of attack. DDEP allows protection to be deactivated for selected processes only.
However, dampening the euphoria, Microsoft has warned of potential compatibility problems. EMET will therefore be of most use to professional users who are in a position to analyse any errors which might arise.