Why Anti-Exploitation Only Solves Part of the Endpoint Security Problem

In July Microsoft introduced an updated version of its Enhanced Mitigation Experience Toolkit (EMET), designed to protect against malicious and targeted attacks on its software.

EMET aims to prevent software vulnerabilities from being successfully exploited. The most recent version employs Return-Oriented Programming protections  (ROP), Export Address Filter (EAF) and EAF+ security, and Attack Surface Reduction (ASR) features. The object is to make software vulnerability exploits difficult to carry out.

While we agree that a defense system, which creates sophisticated obstacles for attacks is helpful, it is only a matter of time before ambitious attackers develop mitigation bypass techniques.

For example, a publicly available, Microsoft-issued user’s guide lays out the specific tools used by EMET. Using this information, researches have reverse-engineered EMET and published papers that document exploits which can bypass its defense system and leave operating systems unprotected from attacks.

One firm, Offensive Security, has disclosed several obstacles in EMET’s arsenal that are vulnerable to exploitation:

  • ROP Protections can be bypassed by decoding the encoded pointer
  • EAF can be bypassed using the Windows syscall NtSetContextThread to clear hardware breakpoints
  • EAF+, while introducing additional security checks, can be bypassed by resolvingNtSetContextThread by calling it GetProcAddress
  • ASR is effective when an attacker forces a target application to load, but is vulnerable to bypass when using a memory leak

Undoubtedly, Microsoft will update EMET to counter these bypasses, but playing a reactive game of catch up is never a viable security plan.

Instead, we need an advanced approach to security with faster attack detection and response rates that provides universal platform protection.

SentinelOne’s endpoint security platform accomplishes this by continuously performing predictive execution inspection of all software processes to detect and block advanced threats in real time at every stage of an attack.