Microsoft beefs up anti-exploit tool with tech from $250K contest finalist

EMET 3.5 includes settings inspired by BlueHat Prize finalist Ivan Fratric

Microsoft today launched a security toolkit preview that includes anti-exploit technologies created by one of the three finalists in the company's $250,000 BlueHat Prize contest.

Enhanced Mitigation Experience Toolkit (EMET) 3.5 features new defenses inspired by finalist Ivan Fratric, a researcher at the University of Zagreb in Croatia. The other finalists are Jared DeMott, a security researcher employed by Florida-based Harris Corp., a major defense and aerospace contractor, and Vasilis Pappas, a Ph.D. student at Columbia University.

Microsoft will announce the winners late Thursday at the Black Hat security conference, which kicked off today in Las Vegas and wraps up tomorrow.

"If nothing else the EMET update shows they are committed to taking these ideas and acting on them," said Andrew Storms, director of security operations at nCircle Security, in a Wednesday interview conducted via instant messaging.

EMET, designed for enterprise IT workers and advanced users, lets them manually switch on Windows anti-exploit defenses, such as DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications.

The toolkit is often used to harden older programs and has also been recommended by Microsoft as stop-gap protection. In March 2011, for example, Microsoft told Office customers to run EMET to fend off zero-day attacks until Adobe patched a bug in Flash.

The new EMET, which Microsoft dubbed a "technology preview" to hammer home that the utility wasn't ready for production use, includes five new settings designed to stymie "return-oriented programming" (ROP), an exploit-building technique often used to sidestep DEP.

Many advanced exploits relay on ROP to do their tricks, and the technique has been called the "most pressing attack vector" now facing Windows.

For his BlueHat Prize submission, Fratric created "ROPGuard," a technology that checks each critical function call to determine if it's legitimate.

In an interview last month, Fratric explained ROPGuard.

"Unless [the attacker] wants the attack to stay confined in the current process, [he or she] will need to call some 'special' functions to leverage the attack," Fratric said. "The attacker will need to call these functions from the ROP code, either directly or indirectly, and that makes these functions an ideal place to check if the attack is taking place or not."

Microsoft based the anti-ROP settings in EMET on Fratric's work.

"Ivan's idea was the one that could be mitigated the fastest," said Mike Reavey, senior director of the Microsoft Security Response Center (MSRC), in an interview. "His was very practical."

Reavey cautioned that Fratric was not necessarily the winner of the BlueHat Prize, even though Microsoft chose his technology to deploy first.

Fratric seconded that. "The ease or difficulty of integrating the technology into existing tools does not imply that it is any more or less effective," Fratric said in an email reply to questions today. "According to the criteria that the BlueHat Prize judges used, only 30% of the score was generated based on how 'practical and functional' the entry was. The remaining 70% of the score was given on the basis of 'robustness' and 'impact.'"

But Fratric was still pleased to see Microsoft use his ROPGuard concept in EMET.

"I'm absolutely thrilled," he said. "Building ROPGuard was interesting and it being selected as one of the top three entries in the contest is great, but it's even greater to see an interest to integrate this technology into an actual product and to bring it to the users."

Fratric called EMET the "right first step" in baking anti-ROP technologies like ROPGuard into Windows.

Reavey repeated Microsoft's earlier comment that ROPGuard -- or the technologies crafted by the other finalists, both who also focused on ROP -- would not appear in Windows 8, the upgrade set to launch Oct. 26. "The timing is too tight for Windows 8," said Reavey. "But we we'll continue to look at these ideas."

More likely, security experts have said, is that Microsoft will add one or more of the anti-ROP defenses, and perhaps other technologies submitted in the contest, to Windows 8 as a later update. Putting them into Windows 8 Service Pack 1 (SP1), which would appear a year or more after the operating system's launch, would be logical, those experts have said.

Reavey declined to commit Microsoft to adding any of the new technologies to Windows 7, a move that would involve "backporting" the code to the older OS. But he said the company was considering such backporting and noted that Microsoft has backported before.

One of the most notable security backports was of a Windows 7 feature that blocked the automatic execution of files on a USB drive.

In 2009, Microsoft offered the feature -- which disabled AutoRun -- to Windows XP and Vista users; in early 2011, the AutoRun update was force-fed to users of those editions.

AutoRun has been abused by some of the highest-profile worms in the last decade, including Conficker and Stuxnet, the latter a worm reportedly created with U.S. and Israeli government backing and designed to sabotage Iran's nuclear program.

Microsoft credited the AutoRun backport to XP and Vista with reducing malware infection rates on those editions by as much as 82% in the first six months of 2011.

"I think they will add it to Windows," said Storms of ROP technologies Microsoft received during the contest. "We will see features start to emerge in the next service pack ... it seems like a natural progression. Test it in EMET, then implement in a major update."

Not surprisingly, Reavey said Microsoft had been pleased at the BlueHat Prize turnout and submission quality. He also reiterated the company's anti-bounty position, arguing that the BlueHat strategy was more effective in protecting customers.

"We still think that this [approach] of trying to eliminate entire classes of attacks benefits customers in the long run, rather than fixing issues one-off," said Reavey.

When it unveiled BlueHat Prize a year ago, Microsoft rejected bug bounties -- like those paid by Google, Mozilla and Hewlett-Packard's TippingPoint -- in favor of the contest concept.

Microsoft isn't planning an immediate sequel to BlueHat Prize -- Reavey said there was nothing official to announce -- but it is conducting a survey at Black Hat to collect ideas for future contests.

"I think that the [BlueHat Prize] was an excellent idea and a great way to give some spotlight to some of the open problems in security and the people working to solve them," said Fratric "I'd absolutely be interested in future contests. I even have some ideas that I'd like to try out next year."

According to the BlueHat Prize rules, winners retain the intellectual rights to their inventions, but must license them to Microsoft on a royalty-free basis. The first-place winner will receive $200,000 tomorrow, while $50,000 will go to the second-place finalist. A subscription to Microsoft's developer network, worth about $10,000, will be awarded as the third-place prize.

Microsoft published more information about EMET 3.5 and its use of Fratric's ROPGuard on its Security Research & Defense blog today.

EMET 3.5 can be downloaded for Windows XP, Vista and Windows 7 from Microsoft's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.