Microsoft beefs up anti-exploit tool with tech from $250K contest finalist

EMET 3.5 includes settings inspired by BlueHat Prize finalist Ivan Fratric

Microsoft today launched a security toolkit preview that includes anti-exploit technologies created by one of the three finalists in the company's $250,000 BlueHat Prize contest.

Enhanced Mitigation Experience Toolkit (EMET) 3.5 features new defenses inspired by finalist Ivan Fratric, a researcher at the University of Zagreb in Croatia. The other finalists are Jared DeMott, a security researcher employed by Florida-based Harris Corp., a major defense and aerospace contractor, and Vasilis Pappas, a Ph.D. student at Columbia University.

Microsoft will announce the winners late Thursday at the Black Hat security conference, which kicked off today in Las Vegas and wraps up tomorrow.

"If nothing else the EMET update shows they are committed to taking these ideas and acting on them," said Andrew Storms, director of security operations at nCircle Security, in a Wednesday interview conducted via instant messaging.

EMET, designed for enterprise IT workers and advanced users, lets them manually switch on Windows anti-exploit defenses, such as DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications.

The toolkit is often used to harden older programs and has also been recommended by Microsoft as stop-gap protection. In March 2011, for example, Microsoft told Office customers to run EMET to fend off zero-day attacks until Adobe patched a bug in Flash.

The new EMET, which Microsoft dubbed a "technology preview" to hammer home that the utility wasn't ready for production use, includes five new settings designed to stymie "return-oriented programming" (ROP), an exploit-building technique often used to sidestep DEP.

Many advanced exploits relay on ROP to do their tricks, and the technique has been called the "most pressing attack vector" now facing Windows.

For his BlueHat Prize submission, Fratric created "ROPGuard," a technology that checks each critical function call to determine if it's legitimate.

In an interview last month, Fratric explained ROPGuard.

"Unless [the attacker] wants the attack to stay confined in the current process, [he or she] will need to call some 'special' functions to leverage the attack," Fratric said. "The attacker will need to call these functions from the ROP code, either directly or indirectly, and that makes these functions an ideal place to check if the attack is taking place or not."

Microsoft based the anti-ROP settings in EMET on Fratric's work.

"Ivan's idea was the one that could be mitigated the fastest," said Mike Reavey, senior director of the Microsoft Security Response Center (MSRC), in an interview. "His was very practical."

Reavey cautioned that Fratric was not necessarily the winner of the BlueHat Prize, even though Microsoft chose his technology to deploy first.

Fratric seconded that. "The ease or difficulty of integrating the technology into existing tools does not imply that it is any more or less effective," Fratric said in an email reply to questions today. "According to the criteria that the BlueHat Prize judges used, only 30% of the score was generated based on how 'practical and functional' the entry was. The remaining 70% of the score was given on the basis of 'robustness' and 'impact.'"

But Fratric was still pleased to see Microsoft use his ROPGuard concept in EMET.

"I'm absolutely thrilled," he said. "Building ROPGuard was interesting and it being selected as one of the top three entries in the contest is great, but it's even greater to see an interest to integrate this technology into an actual product and to bring it to the users."

Fratric called EMET the "right first step" in baking anti-ROP technologies like ROPGuard into Windows.

Reavey repeated Microsoft's earlier comment that ROPGuard -- or the technologies crafted by the other finalists, both who also focused on ROP -- would not appear in Windows 8, the upgrade set to launch Oct. 26. "The timing is too tight for Windows 8," said Reavey. "But we we'll continue to look at these ideas."

More likely, security experts have said, is that Microsoft will add one or more of the anti-ROP defenses, and perhaps other technologies submitted in the contest, to Windows 8 as a later update. Putting them into Windows 8 Service Pack 1 (SP1), which would appear a year or more after the operating system's launch, would be logical, those experts have said.

Reavey declined to commit Microsoft to adding any of the new technologies to Windows 7, a move that would involve "backporting" the code to the older OS. But he said the company was considering such backporting and noted that Microsoft has backported before.

One of the most notable security backports was of a Windows 7 feature that blocked the automatic execution of files on a USB drive.

In 2009, Microsoft offered the feature -- which disabled AutoRun -- to Windows XP and Vista users; in early 2011, the AutoRun update was force-fed to users of those editions.

AutoRun has been abused by some of the highest-profile worms in the last decade, including Conficker and Stuxnet, the latter a worm reportedly created with U.S. and Israeli government backing and designed to sabotage Iran's nuclear program.

Microsoft credited the AutoRun backport to XP and Vista with reducing malware infection rates on those editions by as much as 82% in the first six months of 2011.

"I think they will add it to Windows," said Storms of ROP technologies Microsoft received during the contest. "We will see features start to emerge in the next service pack ... it seems like a natural progression. Test it in EMET, then implement in a major update."

Not surprisingly, Reavey said Microsoft had been pleased at the BlueHat Prize turnout and submission quality. He also reiterated the company's anti-bounty position, arguing that the BlueHat strategy was more effective in protecting customers.

"We still think that this [approach] of trying to eliminate entire classes of attacks benefits customers in the long run, rather than fixing issues one-off," said Reavey.

When it unveiled BlueHat Prize a year ago, Microsoft rejected bug bounties -- like those paid by Google, Mozilla and Hewlett-Packard's TippingPoint -- in favor of the contest concept.

Microsoft isn't planning an immediate sequel to BlueHat Prize -- Reavey said there was nothing official to announce -- but it is conducting a survey at Black Hat to collect ideas for future contests.

"I think that the [BlueHat Prize] was an excellent idea and a great way to give some spotlight to some of the open problems in security and the people working to solve them," said Fratric "I'd absolutely be interested in future contests. I even have some ideas that I'd like to try out next year."

According to the BlueHat Prize rules, winners retain the intellectual rights to their inventions, but must license them to Microsoft on a royalty-free basis. The first-place winner will receive $200,000 tomorrow, while $50,000 will go to the second-place finalist. A subscription to Microsoft's developer network, worth about $10,000, will be awarded as the third-place prize.

Microsoft published more information about EMET 3.5 and its use of Fratric's ROPGuard on its Security Research & Defense blog today.

EMET 3.5 can be downloaded for Windows XP, Vista and Windows 7 from Microsoft's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts