This morning Dan Goodin over at The Register dropped me a line to get my take on a new tool from Microsoft that lets you apply anti-exploitation controls to existing applications. Here’s Dan’s article with my quote, and more information directly from Microsoft.
This. Is. Awesome.
Here’s why EMET is so significant. Anti-exploitation technologies are incredibly powerful because they reduce the risk that any vulnerability – even a zero day – can actually be exploited to cause harm. They include a bunch of techniques including Data Execution Protection (DEP, which is a software flag enforced at the hardware level), Address Space Layout Randomization (ASLR), and stack protection.
As powerful as these techniques are, the software developer needs to design and build their programs to take advantage of them. Most developers don’t do this yet, which makes their software a major potential weak point for any host security. This is especially problematic with web browser plugins that are leveraged by web-based client-side exploits.
EMET allows anyone to add certain anti-exploitation protections to any program without requiring recompiling. You can now apply four anti-exploitation techniques to an existing application, no matter where you got it from or who programmed it (see Microsoft’s post for the list and explanation). Since this will break some applications, it’s not for the faint of heart, but EMET has per-process granularity which can help you lock something down, while leaving open the bits that break.
It’s very cool, and kudos to Microsoft. We still need to see how well it works in the real world, so hopefully we’ll get some field reports soon.
Reader interactions
One Reply to “Add Anti Exploitation to Applications You Didn’t Write”
Good stuff…though the ASLR does not help applications on Windows XP, a slight knit.
Seeing DEP, ASLR, and other ‘memory’ technologies coming down the road from Microsoft, we took another approach to inevitable software vulnerabilities with our security software, which is explained here:
http://www.blueridgenetworks.com/docs/AppGuard-Technology-Computer-Protection-White-Paper.pdf
I’d welcome feedback. We’re always looking to improve.