2 tips for protecting Windows with EMET

Microsoft provides a little known tool for protecting PC’s against software vulnerabilities called the Enhanced Mitigation Experience Toolkit (colloquially known as EMET).

Most people don’t know about it because it doesn’t ship with Windows and has a bevy of nerdy knobs and levers that usually scares off tyros.  But today, I want to walk you through this nimble utility because it is relatively effective in protecting PCs.

I say relatively because EMET won’t make your PC indomitable but it does deflect most exploit attempts and stays out of your way.

Similar to Malwarebytes Anti-Exploit, EMET takes a preemptive approach to security threats by implementing the following safeguards:

  • Data Execution Prevention (DEP)
  • Structured Execution Handling Overwrite Protection (SEHOP)
  • Export Address Table Filtering (EAF)
  • Address Space Layout Randomization (ASLR)

If reading those polysyllabic acronyms makes your eyes glaze over or your hair bristls when you see “layout randomization”, that’s fine because you really don’t need to know the details.

I just want to give you a top-level view of what’s going on so you can skip the jargon and get the gist of how EMET guards your PC.

Demystifying DEP

The bottom-line with DEP is that it’s designed to make it harder for malevolent hackers to exploit vulnerabilities in Windows.

It does this by preventing the execution of code in pages of memory that aren’t explicitly marked as executable.

Most newer Intel CPUs support an execute disable bit (XD).  Thus, if someone tries to run code from a memory page with memory protection enabled they’ll get a lovely access violation.

Thankfully, the 64-bit version of Windows ships with DEP enabled.  EMET is there to make sure DEP is working well – but I don’t want that to engender a false sense of security in your mind.

DEP is neccessary but not sufficient for mitigating all attacks.  It’s just one layer in a robust defense-in-depth strategy.

There’s still this whole stack overflow thingy…

Hoping around with SEHOP

SEHOP shields your computer from a common hacking technique that exploits stack overflows.

Stack what? Stay with me for a second.

Let’s say you’re in debt.  You own some people money and need to keep track of who gets what.

So you draw a table with the creditor’s name in the left column and the amount you owe in the right column.

Now, let’s say you owe your good friend Mark Cuban $1000.

Image Credit of Marc Cuban from Keith Allison on Flickr

You put his name under the Creditor column and write $1000 in the Amount Owed column.

This table is just like any an ordinary table except for two important things:

  1. The table only provides one-character-per-box.  In other words, there are a set number of squares available for the Creditor and Amount Owed columns. In this example, there are 10 squares available for the creditor name.  Since “Mark Cuban” is exactly 10 characters in length, each square is filled and everything is fine… at least for now…  The Amount Owed column also has 10 placeholder squares.
  2. You’re not using an ordinary pen to track your debt.  No, instead, you have a magic pen that automatically erases the entire debt record before recording a new record.  The entire row gets zapped when recording a new debt record.  This is roughly tantamount to how system memory works.

Okay, so a few days past and eventually you find the $1,000 you owe Mark.  You pay up and thus absolve yourself of all debt obligations to Mr. Cuban.

He kindly didn’t charge you any interest which was pretty nice.

So far so good.

Now after a week, you’re strapped for cash again but can’t fathom bothering Mark so you call up your other pal: casino magnate Lui Woo.

Hey, Lui, can you loan me a grand? I’m in a bind but I promise I’ll pay you back before the end of the month.

Lui knows you’re good for it so he loans you $1,000.


As you start to write Lui Woo’s name in your table, the previous entry for Mark Cuban disappears (that’s because of the magic pen you own).

You carefully begin filling in each letter inside each box.

“Lui Woo” is seven characters long (including the space) and you have 10 boxes so that leaves 3 extra character boxes. You start writing his name but can’t remember how to spell it.

Hey, Lui, how do you spell your name?

“How could you forget!” he replies.  “It’s LUI WOOXXX9999999999”

“That’s a little odd” you muse to yourself.   But you figure the X’s were silent and he’s just a unique guy with numbers in his name.

Now here’s the important part:

Since the first column is only 10 boxes long you enter one character per box and end up with “LUI WOOXXX” but then keep entering characters past the first column into the second column as 9999999999.

In other words, you continued inserting characters beyond the bounds of the column so the excess overflowed into the amount owed column.

Now look what happened… (by the way, I made this table in Microsoft Paint so it looks pretty shitty but I hope it illustrates the point):

Buffer Overflow Example

The final three “X”‘s in Lui’s last name pushed those ten, 9 digits into the Amount I Owe Column!

Before you owed him $1,000, but now because of the overflow, you owe almost ten billion dollars!

Good luck paying that back.

This is basically how buffer overflows work.


Most computer programs have a call stack which maintains information about all the code nuggets that work together to perform tasks.

Code is broken down into subroutines which are bite-sized pieces that perform very specific functions for the larger program.

For example, a programmer might create a subroutine that prints a message to the screen.  So whenever the programmer wants to print that message, he just calls the subroutine that prints messages.

He can call that subroutine anytime he needs to print the message.  He doesn’t copy and paste the code because that makes the source file unnecessarily large, makes the code hard to maintain and violates basic programming concepts.

A stack overflow happens when a program writes code to the call stack in an unexpected way.  The result, is that the stack overflows because too much data is written.  The surplus data spills over and corrupts data in adjacent memory locations which either crashes the application or causes it to act strangely.

SEHOP prevents this sort of thing from happening.

EAF and ASLR

EAF is a mitigation technique that sets breakpoints on the address tables of two important files.  Malicious code usually tries to find where certain subroutines are loaded in memory by reading the export address table of these two files:

  • ntdll.dll
  • kernel32.dll

When code hits the breakpoint, EMET gets to work and tries to figure out if the code is good or bad.  If it’s bad it gets terminated – if it’s good it runs safely.

Usually EAF works; however, it was bypassed in earlier version of EMET so it’s not rock-solid.

ASLR offers another stratum of protection.

It works by randomizing key parts of a program in memory.  So, basically with ASLR running, the attacker needs to correctly guess the memory positions of all the areas they want to attack.

64-bit versions of Windows offer the most robust protection here because they have a larger address space which means the probability of correctly guessing key memory blocks are significantly reduced.

What’s up EMET!

So what does this have to do with EMET?

EMET steps on the scene, flexing its arms, flouting the machinations of hackers and strongly asserts:

I’ve got your back man!

EMET is a veritable mountain for the bad guys because of DEP, SEHOP, EAF and ASLR.  Let me show you how to get started.

Installing EMET

After checking your system for compatibility issues, visit Microsoft and grab the latest version of EMET.

You should see it in the right rail of the webpage.

Download EMET

Keep all the defaults and breeze through the installation screen.

Installing EMET

Next, the EMET Configuration Wizard screen will popup.

Use the Recommended Settings and choose Finish.

EMET Use Recommended Settings

EMET quietly opens out of the way in the tray.

EMET running in the tray

Now let’s tweak the application to make it work for us.

I actually don’t recommend locking down the entire system with EMET because this may break existing applications (especially legacy apps) so my first tip is to configure specific processes for EMET protection.

1. Configuring Specific Processes

We’re going to peruse the process list for applications that rely on the internet such as web browsers and download managers.  These applications are the most susceptible to being compromised so we need to make sure they’re protected first.

In the bottom pane of the main window you’ll see a list of running processes.

EMET Running Processes

Right click the one you want to lock down and choose Configure Process…

Now you should see a daunting screen teaming with checkboxes and columns.

By default, EMET fires all its armaments on the bad guys.  Just click OK to keep the defaults.

EMET Application Configuration

If Dropbox stops working after making the change, we can systematically disable each setting until it works again.  You can also back out of all your changes by clicking the red Remove Selected button in the ribbon.

2. Give it a test run first

When you’ve finished configuring rules for your apps you can give it a trial run.

Along to the top half of Application Configuration view you’ll see a ribbon with a green icon to Add an Application, a blue icon to Add a Wildcard and a Red Remove Selected X.  Over to the right you’ll see a Default Action setting which is set to Stop on exploit.

This means when an application violates one of our security rules, EMET will immediately terminate the application.  This is usually what you want; however, if you want to give it a trial run first choose Audit Only.

This effectively puts security in abeyance because EMET simply reports the problem and still permits the application to run.  But it’s still a good way to make sure your rules are working before you go live.

So try it out for a week in Audit Only then flip it back to Stop on exploit and you’ll be good to go.

EMET audit only

The Bottom Line

For protection against most web threats, EMET is a sure bet.

But like every security mechanism: it’s not perfect.  In fact, the good guys at Bromiumlabs produced a 19 page research report in February of 2014 demonstrating how to bypass EMET 4.1.  The paper is very technical; however, I suggest browsing through it so you can get a balanced view of EMET.

EMET is just one component in the fight to keep our PC’s safe.  And although we can’t rely on it alone to protect us from everything, it’s still a very useful piece of the larger protection puzzle.

If you’ve used EMET, please share your experiences in the comments!

About

Connect with Vonnie on Twitter

Posted in Windows, Windows 7, Windows 8, Windows 8.1, Windows Vista Tagged with: , ,