I had a few attendees that said this presentation alone made the two days at S4 worth it. It showed how this free tool breaks or destabilizes working exploits on ICS vulnerabilities.
Kevin Sullivan of Microsoft has mentioned their Enhanced Mitigation Experience Toolkit (EMET) as a good fit for SCADA and DCS applications that are fragile and have easily exploited vulnerabilities that vendors may fix slowly if at all. The mention rarely gets any followup or interest in the ICS community.
So we requested Suha Can of Microsoft present EMET to the technical S4 audience, and then have Terry McCorkle of Spearpoint Security try to exploit a vulnerable application pre and post EMET (he chose an integer overflow in an ActiveX control that is in multiple ICS products).
[vimeo 36362661 w=500&h=331]
EMET works with Windows XP SP3 or newer OS. The EMET interface allows you to select some or all of the EMET protections which include:
- Dynamic Data Execution Protection (DEP)
- Mandatory Address Space Layout Randomization (ASLR)
- Structured Exception Handler Overwrite Protection (SEHOP)
- Heap Spray Allocations
- Export Address Table (EAT) Access Filtering
- Null Page Allocation
Suha explains what each of these protections are an how EMET applies them to an existing application. And of course EMET breaks Terry’s working exploit.
This is worth a look if you have a Windows application that was not build with the above listed security controls to make exploiting the app more difficult. For example ASLR was added in Windows Vista. You can add ASLR in Windows XP applications or Windows Vista and later applications that were build without ASLR (all too common).
Of course EMET is not a silver bullet. A skilled attacker may be able to modify the exploit to avoid each of the EMET measures. It does make the attacker’s job more difficult and will break many of freely available exploits.