Bypassing EMET 4.1

DeMott, Jared D.

doi:10.1109/msp.2015.75

Cited by 13 publications

(5 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Based on this large set of ROP sequences we constructed a proof-of-concept ROP exploit that launches a new shell to the adversary. Our proof-of-concept attack demonstrates the ineffectiveness of coarse-grained CFI, and confirms the attacks recently presented against Windows EMET and CFI for COTS binaries [7,8].…”

Section: Problems Of Coarse-grained Cfisupporting

confidence: 84%

Hardware-Assisted Fine-Grained Control-Flow Integrity

Davi

Koeberl

Sadeghi

2014

Proceedings of the 51st Annual Design Automation Conference

View full text Add to dashboard Cite

Embedded systems have become pervasive and are built into a vast number of devices such as sensors, vehicles, mobile and wearable devices. However, due to resource constraints, they fail to provide sufficient security, and are particularly vulnerable to runtime attacks (code injection and ROP). Previous works have proposed the enforcement of controlflow integrity (CFI) as a general defense against runtime attacks. However, existing solutions either suffer from performance overhead or only enforce coarse-grain CFI policies that a sophisticated adversary can undermine. In this paper, we tackle these limitations and present the design of novel security hardware mechanisms to enable fine-grained CFI checks. Our CFI proposal is based on a state model and a per-function CFI label approach. In particular, our CFI policies ensure that function returns can only transfer control to active call sides (i.e., return landing pads of functions currently executing). Further, we restrict indirect calls to target the beginning of a function, and lastly, deploy behavioral heuristics for indirect jumps.

show abstract

Section: Problems Of Coarse-grained Cfisupporting

confidence: 84%

Hardware-Assisted Fine-Grained Control-Flow Integrity

Davi

Koeberl

Sadeghi

2014

Proceedings of the 51st Annual Design Automation Conference

View full text Add to dashboard Cite

show abstract

“…When a package contains more than one exploit, the cost of a single exploit can only be estimated. From the literature on exploit development and deployment [9,24,29,30,48,76] two aspects of vulnerabilities emerge as drivers of exploitation effort: 1) vulnerability type (e.g. memory corruption vs cross-site-scripting) [29,48,76]; 2) exploitation complexity (e.g.…”

Section: Analysis Proceduresmentioning

confidence: 99%

“…memory corruption vs cross-site-scripting) [29,48,76]; 2) exploitation complexity (e.g. to evade attack mitigation techniques) [20,24,29].…”

Section: Analysis Proceduresmentioning

confidence: 99%

Economic Factors of Vulnerability Trade and Exploitation

Allodi

2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

show abstract

“…EMET's MemProt rule can protect against such attacks as it monitors the VirtualProtect() function, but not against ROPInjector, since the latter neither has to call VirutalProtect() nor it has to perform memory corruption attacks as the whole executable is under its control. As a side note, it is important to mention that various research works such as the one presented in [27] have shown that EMET rules can be bypassed trivially and in general they are insufficient to protect against memory corruption attacks.…”

Section: Fig 7: Evasion Ratio Of Ropinjector For the Reverse Meterprmentioning

confidence: 99%

Transforming malicious code to ROP gadgets for antivirus evasion

Ntantogian

Πούλιος

Καρόπουλος

et al. 2019

IET Information Security

View full text Add to dashboard Cite

In this paper, we advance research in offensive technology by proposing Return Oriented Programming (ROP) as a means to achieve code obfuscation. The key inspiration is that ROP's unique structure poses various challenges to malware analysis compared to traditional shellcode inspection and detection. Our proposed ROP-based attack vector provides two unique features: 1) the ability to automatically analyze and generate equivalent ROP chains for a given code, and, 2) the ability to reuse legitimate code found in an executable in the form of ROP gadgets. To this end, we have developed a tool named ROPInjector which, given any piece of shellcode and any legitimate executable file, it transforms the shellcode to its ROP equivalent re-using the available code in the executable and finally patches the ROP chain infecting the executable. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service, making ROP an effective ingredient for code obfuscation. We believe that this attack vector poses a serious threat which malicious actors can take advantage to perform cyber-attack campaigns. We hope that our work drives more research towards the automatic detection of code obfuscation techniques. The AV industry also should be aware of this code obfuscation technique and counteract accordingly.

show abstract

Bypassing EMET 4.1

Cited by 13 publications

References 0 publications

Hardware-Assisted Fine-Grained Control-Flow Integrity

Hardware-Assisted Fine-Grained Control-Flow Integrity

Economic Factors of Vulnerability Trade and Exploitation

Transforming malicious code to ROP gadgets for antivirus evasion

Contact Info

Product

Resources

About