I had a few attendees that said this presentation alone made the two days at S4 worth it. It showed how this free tool breaks or destabilizes working exploits on ICS vulnerabilities.
Kevin Sullivan of Microsoft has mentioned their Enhanced Mitigation Experience Toolkit (EMET) as a good fit for SCADA and DCS applications that are fragile and have easily exploited vulnerabilities that vendors may fix slowly if at all. The mention rarely gets any followup or interest in the ICS community.
So we requested Suha Can of Microsoft present EMET to the technical S4 audience, and then have Terry McCorkle of Spearpoint Security try to exploit a vulnerable application pre and post EMET (he chose an integer overflow in an ActiveX control that is in multiple ICS products).
[vimeo 36362661 w=500&h=331]
EMET works with Windows XP SP3 or newer OS. The EMET interface allows you to select some or all of the EMET protections which include:
- Dynamic Data Execution Protection (DEP)
- Mandatory Address Space Layout Randomization (ASLR)
- Structured Exception Handler Overwrite Protection (SEHOP)
- Heap Spray Allocations
- Export Address Table (EAT) Access Filtering
- Null Page Allocation
Suha explains what each of these protections are an how EMET applies them to an existing application. And of course EMET breaks Terry’s working exploit.