EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Similar documents
Enhanced Mitigation Experience Toolkit 5.1

Public Key Infrastructure (PKI)

Smart Card Authentication. Administrator's Guide

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

Bypassing Browser Memory Protections in Windows Vista

SSL/TLS: The Ugly Truth

SSL BEST PRACTICES OVERVIEW

GlobalSign Enterprise Solutions

Breaking the Myths of Extended Validation SSL Certificates

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Implementing Secure Sockets Layer on iseries

Djigzo encryption. Djigzo white paper

Cleaning Encrypted Traffic

Application Note Configuring Department of Defense Common Access Card Authentication on McAfee. Firewall Enterprise

Djigzo S/MIME setup guide

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

Security Policy for FIPS Validation

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Bypassing Memory Protections: The Future of Exploitation

NIST ITL July 2012 CA Compromise

Microsoft Trusted Root Certificate: Program Requirements

Fixing Certificate Problems Some users have recently had problems installing Silect products. The symptoms are typically an error like the following:

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

SSL and Browsers: The Pillars of Broken Security

Project SailFin: Building and Hosting Your Own Communication Server.

SBClient SSL. Ehab AbuShmais

Key Management and Distribution

Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Installing your Digital Certificate & Using on MS Out Look 2007.

Microsoft Exchange 2010 and 2007

Hotpatching and the Rise of Third-Party Patches

More on SHA-1 deprecation:

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Integrated SSL Scanning

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

Configuring Digital Certificates

Secure Web Access Solution

Introducing Director 11

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE

Windows Mobile SSL Certificates

SEZ SEZ Online Manual- DSC Signing with Java Applet. V Version 1.0 ersion 1.0

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Two Factor Authentication in SonicOS

The IVE also supports using the following additional features with CA certificates:

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

Carillon eshop User s Guide

Installation and Configuration Guide

Smart Card Authentication Client. Administrator's Guide

Protecting Your Organisation from Targeted Cyber Intrusion

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Qlik REST Connector Installation and User Guide

Agenda. How to configure

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

8x8 Virtual Office Salesforce Call Center Interface. Administrator Guide. October Salesforce Call Center Interface

Integrated SSL Scanning

DJIGZO ENCRYPTION. Djigzo white paper

Workday Mobile Security FAQ

Trustworthy Computing

Configuring Security Features of Session Recording

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Websense Content Gateway HTTPS Configuration

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

TIB 2.0 Administration Functions Overview

Implementing Cisco IOS Network Security

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

Operating System Security

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

CIPHERMAIL ENCRYPTION. CipherMail white paper

Abstract. Avaya Solution & Interoperability Test Lab

Implementing Secure Sockets Layer (SSL) on i

SAP Web Application Server Security

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Lecture VII : Public Key Infrastructure (PKI)

Digital Certificates Demystified

Enabling SSL and Client Certificates on the SAP J2EE Engine

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Analyzing the MD5 collision in Flame

Criteria for web application security check. Version

Introduction to Network Security Key Management and Distribution

Security Guide. BES12 Cloud. for BlackBerry

WiMAX Public Key Infrastructure (PKI) Users Overview

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Symantec Managed PKI. Integration Guide for ActiveSync

Microsoft Administering the Web Server (IIS) Role of Windows Server

Thick Client Application Security

Secure IIS Web Server with SSL

8x8 Virtual Office Telephony Interface for Salesforce

Transcription:

EMET 4.0 PKI MITIGATION Neil Sikka DefCon 21

ABOUT ME Security Engineer on MSRC (Microsoft Security Response Center) I look at 0Days EMET Developer I enjoy doing security research on my free time too: http://neilscomputerblog.blogspot.com/ Twitter: @neilsikka

OVERVIEW 1. What Is EMET? 2. New Features in EMET 4.0 3. EMET Architecture 4. PKI Feature In Depth 5. PKI Demo

WHAT IS EMET? Mitigates various exploitation techniques Not signature based behavior based Things like stopping shellcode from reading Export Address Table etc DLLs dynamically loaded at runtime No application recompiling/redeploying necessary Can help mitigate 0Days Works on all supported Windows Platforms on x86/amd64 Giving back to the security community Its Free

COMPATIBLE APPLICATIONS The logos and products mentioned herein may be the trademarks of their respective owners.

CHANGES BETWEEN EMET 3.0/4.0 We added Certificate Trust (PKI) Mitigations Our first non memory corruption mitigation ROP Mitigation Some ROP Hardening (Deep Hooks, Antidetours, Banned Functions) New GUI

EXPLOIT MITIGATIONS DEP Call SetProcessDEPPolicy HeapSpray Reserve locations used by heap sprays Mandatory ASLR Reserve module preferred base address, causing loader to load module somewhere else NullPage Reserve first memory page in process, defense in depth EAF Filter shellcode access to Export Address Table (kernel32 and ntdll) BottomUp Randomization Randomize data structure bases

MORE EXPLOIT MITIGATIONS SEHOP-validate SEH chain looking for _EXCEPTION_REGISTRATION structure whose prev pointer is -1 ROP Hardening (new in 4.0) Deep Hooks-protect critical APIs and the APIs they call AntiDetours-protect against jumping over detoured part of a function Banned Functions-disallow calling ntdll!ldrhotpatchroutine

ROP Stands for Return Oriented Programming Bypasses DEP (Data Execution Prevention) Attacker call stack injected into user controlled portion of memory Attacker stack has return pointers that point to gadgets in executable modules loaded in memory These specifically selected gadgets have a few instructions followed by a ret These ret instructions then return to the location pointed to by the next pointer in the attacker stack Functions like VirtualProtect are commonly ROP ed to Requires Stack Pivot to make x86 ESP register point to attacker call stack

ROP MITIGATIONS (NEW IN 4.0) ROP (Detour functions that are commonly ROP ed to) LoadLib Make sure we are not trying to call LoadLibrary() on a network location MemProt Make sure we aren t making stack pages executable Caller Make sure return address on stack was proceeded by a call Make sure we didn t ret to this function SimExecFlow Make sure we don t ret to ROP gadgets StackPivot Make sure Stack Pointer (ESP) is between stack limits defined by TIB

EMET ARCHITECTURE EMET_Agent.exe (Tray Icon, Logging, PKI) Inter-process Communications EMET.dll EMET_CE.dll EMET.dll EMET.dll

WHAT IS PKI? A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. --Wikipedia Used to ensure confidentiality, integrity and attribution online Communication with bank websites and other secure communications online depend on PKI PKI is the basis of HTTPS

PKI HIERARCHY We can verify that each certificate is signed by a parent by looking for a digital signature of the parent on the child certificate. Root Certification Authority Intermediate Certification Authority End Entity End Certificate Intermediate Certificate End Certificate Root Certificate Intermediate Certificate End Certificate

RECENT SSL/TLS INCIDENTS December 2008- MD5 proven weak (Sotirov/Stevens) March 2011- Comodo CA signs 9 fraudulent certificates August 2011- Diginotar signs at least 1 fraudulent certificate November 2011- DigiCert issues 22 certs with 512 bit keys January 2013- TURKTRUST creates 2 issues fraudulent CAs and a certificate

PKI CERTIFICATE PINNING Pinning is when we enforce certain assumptions or expectations about certificates that we get from the internet

RELATED WORK TACK (Marlinspike, Perrin): requires TLS changes, pins to TACK signing key Convergence (Marlinspike): based on Perspectives project, new protocol DANE/TLS (RFC 6698): requires DNS changes HSTS (RFC 6797) + Draft ietf websec key pinning (Evans, Palmer, Sleevi): pins to SubjectPublicKeyInfo hash, requires HTTP changes, used in Chrome

EMET S DESIGN GOALS Our goals in EMET PKI design were the following: 1. Give control to users Users specify the certificates Users specify the domain names Users specify the heuristic checks 2. Don t require changes to pre-existing protocols/new protocols This could break something This would require adoption by the rest of the internet 3. Keep EMET as a standalone tool on the client and not depend on remote services In order to achieve these goals, we had to make tradeoffs that existing designs didn t have to make

EMET S APPROACH Requires no protocol changes Pins to Root Certificates, not Intermediate Certificates Pins to certificates in the Current User s Trusted Root Certification Authorities store Identifies certificates by either: <Issuer, Serial #> Tuple OR Subject Key Identifier (SHA-1 of subjectpublickey)

CERTIFICATE IDENTIFICATION Certificates can be identified by <issuer, serial #> tuples According to RFC5280: the issuer name and serial number identify a unique certificate Identifying a specific certificate is more rigid (restrictive) Certificates can be identified by Public Key Some certificates chain to roots which share the same public key EMET optionally allows certificate identification by only Subject Key Identifier (SHA-1 of hash of Public Key)

Architecture EMET PKI PINNING ARCHITECTURE Default Configuration Example Cert Cert Cert Baltimore CyberTrust Root Verisign GlobalSign GTE CyberTrust Global Root Pin Rule MSSkypeCA Pinned Site Pinned Site Pinned Site Pinned Site login.skype.com secure.skype.com

Implemented in EMET_CE[64].dll EMET_CE.dll loaded inside the process WINDOWS CAPI EXTENSION Communicates with EMET_Agent.exe, and passes it the entire certificate chain including the Root and End certificates hex encoded in XML EMET_Agent.exe decides whether the cert is OK or not CryptRegisterOIDFunction() is called with following parameters: CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC, CERT_CHAIN_POLICY_SSL, EXPORT_FUNC_NAME

CERTIFICATE CHECKS 1 If none of the following matches a Pinned Site s Domain Name, pass because this domain is not configured Server Name of HTTPS connection End certificate s Subject Name End certificate s Subject Simple Name End certificate s Subject DNS Name End certificate s Subject URL Name Any Subject Alternative Name on End certificate Is Pin Rule Expired? If yes, fail

CERTIFICATE CHECKS 2 Either (Depending on Configuration) Is Subject Name of root AND Serial Number of root equal to that in a pinned Root Store certificate? If yes, pass OR Is root Subject Key Identifier equal to that in a pinned Root Store certificate? If yes, pass

CERTIFICATE CHECKS 3 (EXCEPTIONS) Is root Public Modulus Bit length < Pin Rule s allowed length? If yes, fail Is root Digest Algorithm disallowed by the Pin Rule? If yes, fail Is root country equal to the Pin Rule s Allowed Country? If no, fail

DEFAULT PROTECTED DOMAINS Shipped in CertTrust.xml Enabled by Recommended Settings in wizard Microsoft Protected Domains: login.microsoftonline.com secure.skype.com login.live.com login.skype.com 3 rd Party Protected Domains: www.facebook.com login.yahoo.com twitter.com

LIMITATIONS Mitigation is specifically for SSL/TLS Since we just check End and Root Certificates, we don t run heuristics on intermediate certificates Pin configuration is statically shipped with EMET, so they could get outdated If spoofed certificate chained to same root certificate as original, it might not be caught EMET s mitigations are not 100% bullet proof They just try to raise the bar for attackers

Recorded or Live?

REFERENCES ntdll!ldrhotpatchroutine http://cansecwest.com/slides/2013/dep-aslr%20bypass%20without%20rop-jit.pdf MD5 Harmful (Sotirov/Stevens) http://www.win.tue.nl/hashclash/rogue-ca/ TACK (Marlinspike, Perrin) http://tack.io/draft.html Convergence (Marlinspike) http://convergence.io/ DANE/TLS RFC 6698 http://tools.ietf.org/html/rfc6698 HSTS RFC 6797 http://tools.ietf.org/html/rfc6797 Chrome s Public Key Pinning Extension (Evans, Palmer, Sleevi) http://tools.ietf.org/html/draft-ietf-websec-key-pinning-07 Download EMET 4.0: http://www.microsoft.com/enus/download/details.aspx?id=39273 X509 RFC 5280 http://tools.ietf.org/html/rfc5280 More Information about Memory Corruption Mitigations in EMET 4.0: http://www.recon.cx/2013/slides/recon2013-elias%20bachaalany-inside%20emet%204.pdf ROP Explanation: http://www.neilscomputerblog.blogspot.com/2013/04/rop-return-oriented-programming.html http://www.youtube.com/watch?v=vyi8b3vow9m

QUESTIONS ABOUT EMET?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information