locked
[DELETED] RRS feed

All replies

  • EMET is a security application built by Microsoft... it should be officially supported (ie: updated via windows update

     

    I would personally not recommend mass-deployment of EMET to non-technical users. Some of the mitigations are very non-compatible and could potentially break applications for hundreds of thousands of users. The real value of EMET is with protecting legacy applications running on legacy operating systems. EMET does add protection for modern operating systems such as Windows7... but because some of the mitigations are complete hacks themselves... the probability of a conflict is too high to be distributed by Windows Update in my opinion.

     

    And why is EMET not simply built into the OS? ie: Not living in userspace.

    EDIT: With Windows 8 coming out it would be nice to see EMET packaged into kernel space.

    I'm not sure what you mean... ASLR, DEP and SEHOP are all implemented in Vista+ operating system. Most of the other mitigations are not suitable because they could potentially cause incompatibilities. Also... future software produced from modern compilers should support /GS stack cookies and /safeseh switches.

    Of all of the latest additions to EMET I think that bottom-up randomization of stack/heap or some similar derivative technique has the potential to be implemented in the kernel. Predictability is still a huge issue...

    As far as shell code using pure ROP gadgets and stack piveting is concerned... I am not sure how to fix these problems. It seems to me that major architectural changes need to be made to the operating system. There needs to be a way to implement a verifiable execution chain... stack cookies are not enough.

    Best Wishes,

    -David Delaune

    Wednesday, July 6, 2011 2:27 PM
  • Thank you for your comments.

    One of the goals of EMET is to bring to downlevel OS mitigations that are in place for newer OS. Think about SEHOP, available at Vista+, now you have it even on XP. We do a "best-effort" support through this forums. So, if you have any issue just open a thread and we will try to help you.

    Thank you,

    Monday, July 25, 2011 5:44 PM
  • David, you made the point:

    "not suitable because they could potentially cause incompatibilities."

    But that is exactly what we need. Cut off old junk, yes, make the OS incompatible, at least if the user or enterprise wants to, and get rid of old programs that do not support new security features.

    Opt-in is nice, but a lot of programs, I'd say still the majority, do not make use of what is possible.

     

     

     

    Friday, August 26, 2011 6:27 AM