Wednesday, 29 February 2012

Microsoft EMET - ASLR Small Print with Base Binaries

A quick post on a small fact we became aware of this week. As you will likely be aware Microsoft publishes the Enhanced Mitigation Experience Toolkit (EMET). In the words of Microsoft, EMET provides the following functionality:
"The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult to perform as possible. In many instances, a fully-functional exploit that can bypass EMET may never be developed."
Think of EMET as a massive plaster (band aid) for legacy software that missed the memo about defensive compiler features.

After our analysis of KB2639308 it dawned on us that there is some small print associated with EMET as well.  The small print is to do with the inability to randomize the location of the base binary when applying Address Space Layout Randomization. Due to relocations being omitted, the reason that KB2639308 can't randomize base binaries generally, also applies to EMET. So while you will gain some benefit by virtue of the DLLs being randomized you will still have some executable memory at a static location across runs.

So that's it, nothing to panic about but something to keep in mind..

1 comment:

  1. Even with relocations, the forced ASLR feature may not be quite as useful as one might think. Here is some more great small print:

    "EMET’s mitigations only become active after the address space for the core process and the static dependencies has been set up.
    Mandatory ASLR does not force address space randomization on any of these.
    The main focus of Mandatory ASLR is to protect dynamically linked modules, such as plug-ins."

    This comes into play when trying to use EMET to force JRE 6 to use ASLR...