1
00:00:01,520 --> 00:00:03,700
How else does Windows protect its users.

2
00:00:05,270 --> 00:00:13,780
The first mechanism is a cell or the ASML or mechanism is designed to prevent buffer overflow attacks

3
00:00:14,650 --> 00:00:22,620
in particular automated buffer overflow attacks in the future we will speak in more detail about these

4
00:00:22,620 --> 00:00:23,410
attacks.

5
00:00:25,520 --> 00:00:31,100
For now let's remember that in order to carry out an attack of this type the specified library need

6
00:00:31,100 --> 00:00:35,040
be found in the memory.

7
00:00:35,190 --> 00:00:39,980
We need to know which address in the operating memory a certain library is allocated.

8
00:00:40,970 --> 00:00:47,200
We need to know how it works and how it's built to hinder such automation.

9
00:00:47,200 --> 00:00:52,750
Newer Windows systems every time they're launched load the system libraries in a different area of the

10
00:00:52,750 --> 00:01:01,900
memory cells with addresses from 1 to 255 or chosen at random exploits have a one in two hundred and

11
00:01:01,920 --> 00:01:07,080
fifty five chance that this will work.

12
00:01:07,130 --> 00:01:11,520
We can trace such an operation in Process Explorer in a moment.

13
00:01:11,530 --> 00:01:15,300
We will have the opportunity to see it.

14
00:01:15,320 --> 00:01:18,680
Unfortunately the cell or mechanism is not mandatory

15
00:01:21,290 --> 00:01:24,320
system libraries are covered but programs are not covered.

16
00:01:25,600 --> 00:01:28,940
Protection of programs in this way is the decision of the user.

17
00:01:31,740 --> 00:01:38,220
In the past in order for programs to be protected by SLR and other mechanisms such as DGP which we'll

18
00:01:38,220 --> 00:01:39,650
talk about in a moment.

19
00:01:40,230 --> 00:01:46,840
It was necessary to set the corresponding bit in the header of a given program.

20
00:01:46,930 --> 00:01:52,240
It was necessary to have access to the source code or open the file in a hex editor and manually edit

21
00:01:52,240 --> 00:01:53,670
the appropriate bits.

22
00:01:55,630 --> 00:01:59,550
Not many users or administrators wanted to do this.

23
00:01:59,570 --> 00:02:03,820
The solution came again from Microsoft.

24
00:02:03,890 --> 00:02:09,140
We have a tool that allows enabling this protection also for programs that do not require it without

25
00:02:09,170 --> 00:02:11,240
any interference in their privileges.

26
00:02:13,790 --> 00:02:27,670
In a moment we'll see this this tool is called the Enhanced mitigation experienced toolkit or emet.

27
00:02:27,730 --> 00:02:31,220
Let's talk for a moment longer about the DP mechanism.

28
00:02:33,310 --> 00:02:35,710
This is another way to defend against the same threat

29
00:02:39,330 --> 00:02:42,460
E.P. is available on 32 bit platforms.

30
00:02:42,460 --> 00:02:48,550
As long as the hardware supports the mechanism that is if the processor is compatible with a solution

31
00:02:51,700 --> 00:02:55,650
in the case of companies HMD and Intel these solutions are called differently.

32
00:02:55,840 --> 00:02:57,510
But their task is the same.

33
00:03:00,280 --> 00:03:07,450
The point is that in contemporary PC architecture there is no dedicated storage area for data or a memory

34
00:03:07,480 --> 00:03:09,010
area for code.

35
00:03:09,010 --> 00:03:12,220
There is one ram virtual address space memory

36
00:03:15,240 --> 00:03:20,120
what's in it depends on the program which allocated it.

37
00:03:20,200 --> 00:03:24,730
It could be such that when overriding return code from a function call.

38
00:03:24,730 --> 00:03:27,200
Again we're dealing with buffer overflow attacks.

39
00:03:27,490 --> 00:03:34,730
The attacker tries to execute code that's placed in a data area for example by passing it as a parameter

40
00:03:34,790 --> 00:03:36,740
invoking some program function.

41
00:03:39,700 --> 00:03:44,860
The point is that somehow from the outside the manner in which the program runs can be changed without

42
00:03:44,860 --> 00:03:55,430
changing its code the DP function means some areas of memory are data only the attempt to execute code

43
00:03:55,430 --> 00:03:59,880
contained in such a designated memory area results in an error.

44
00:03:59,990 --> 00:04:07,320
The program is automatically stopped by Windows at least in theory because lately there's been increasing

45
00:04:07,320 --> 00:04:12,420
talk that in the case of Intel processors the low level of security was overcome.

46
00:04:12,450 --> 00:04:18,950
And programs are forced to execute code labeled as data only.

47
00:04:18,960 --> 00:04:26,180
Let's see then how Astle are and DGP work and how they protect third party software using the emet program.

48
00:04:27,660 --> 00:04:29,730
Well take a look at only part of the first

49
00:04:35,510 --> 00:04:38,570
run Process Explorer as a privileged process.

50
00:04:40,700 --> 00:04:44,570
Then select the Explorer process and in the bottom window display the library

51
00:04:48,070 --> 00:04:52,250
this way you will see what libraries are used by the Explorer X-C process.

52
00:04:56,630 --> 00:04:59,500
These are shared libraries or shared data areas.

53
00:05:03,050 --> 00:05:07,910
We can see among other things at which address each library is loaded.

54
00:05:07,910 --> 00:05:11,910
We're particularly interested in the NTD library.

55
00:05:12,050 --> 00:05:13,730
This is a kernel system loader.

56
00:05:15,980 --> 00:05:20,690
The library will begin the boot process when we switch to graphics mode.

57
00:05:20,690 --> 00:05:24,440
It means that NTD L-L just launched.

58
00:05:24,600 --> 00:05:30,690
If we have the ACL or a mechanism enabled then after restarting the library the address must be different

59
00:05:31,470 --> 00:05:37,130
with a chance of 1 to 255.

60
00:05:37,130 --> 00:05:44,200
Now let's look at the DP protection displaying the computer's advanced properties we can accidentally

61
00:05:44,200 --> 00:05:50,870
click on the Settings button in the performance section.

62
00:05:50,900 --> 00:05:55,190
In fact DP has nothing to do with performance.

63
00:05:55,220 --> 00:06:00,560
It may only sometimes slow the computer going to these settings.

64
00:06:00,560 --> 00:06:07,750
It appears that data execution prevention is termed done but only for the operating system.

65
00:06:07,750 --> 00:06:12,080
The programs are not protected by IP.

66
00:06:12,290 --> 00:06:17,850
We protect this code fragment which is Anyway's most likely resistant to attack because it is thoroughly

67
00:06:17,850 --> 00:06:23,550
checked in the Microsoft corporation's trustworthy computing group initiative that we mentioned earlier

68
00:06:25,060 --> 00:06:26,560
in order to change this.

69
00:06:26,650 --> 00:06:35,130
We need to select a second option from now all programs are protected by DGP.

70
00:06:35,370 --> 00:06:42,300
If a program does not work because it happens to invoke a code fragment such as ISAPI libraries which

71
00:06:42,300 --> 00:06:48,190
are located in the area of memory that cannot be invoked we should configure the settings as seen above.

72
00:06:50,230 --> 00:06:54,190
This is the default configuration of the server system.

73
00:06:54,310 --> 00:06:57,650
There is no reason not to change it for the client systems as well.

74
00:07:00,600 --> 00:07:06,390
What do we do if we've inherited a program which has been operating in our company for 10 or 15 years.

75
00:07:06,390 --> 00:07:08,820
Its author is completely unknown.

76
00:07:08,820 --> 00:07:14,030
The code was lost long ago with its creator and for some reason we still need to use it.

77
00:07:16,790 --> 00:07:22,430
The best thing we can do is use the enhanced mitigation experience toolkit in order to give the program

78
00:07:22,430 --> 00:07:26,670
some additional security.

79
00:07:26,700 --> 00:07:31,150
Now we'll see how easy it is to use the emet tool.

80
00:07:31,280 --> 00:07:37,370
It allows us to configure the system such as change the DP option which we saw earlier in the system

81
00:07:37,370 --> 00:07:40,040
properties.

82
00:07:40,060 --> 00:07:43,360
These are global options.

83
00:07:43,500 --> 00:07:50,660
We already talked about DTP We also talked about s.l are what in the program.

84
00:07:50,670 --> 00:07:53,280
There's one more option which is called See.

85
00:07:54,160 --> 00:07:59,260
Here it deals with the type of buffer overflow attack that is structured exception handling

86
00:08:02,560 --> 00:08:08,060
if a function reports an error the code handling this exception is in a different area of the memory.

87
00:08:10,010 --> 00:08:15,990
Another possibility is that it reports an exception caused by another code fragment we're dealing with

88
00:08:15,990 --> 00:08:23,350
the hierarchy of a structured exception handler the attacker tends to take advantage of this mechanism

89
00:08:23,350 --> 00:08:28,810
in such a way that the function that handles the air at the end of the action does not return control

90
00:08:28,810 --> 00:08:30,840
to the function that caused the error.

91
00:08:31,270 --> 00:08:35,600
But another memory address is indicated.

92
00:08:35,770 --> 00:08:41,990
This will be a memory address where the attacker probably already managed to place his own code.

93
00:08:42,220 --> 00:08:49,390
We can easily see how that mechanism to protect us from such attacks this mechanism works quite simply

94
00:08:50,320 --> 00:08:53,830
it saves the last address on a list of an exception handling function.

95
00:08:56,510 --> 00:09:02,530
Now when an error handling finishes and the program execution control returns to the main program C-cup

96
00:09:02,540 --> 00:09:06,340
checks to see if it went outside the stored address.

97
00:09:06,370 --> 00:09:08,710
If so it immediately stops the program

98
00:09:12,510 --> 00:09:13,620
in the emet program.

99
00:09:13,660 --> 00:09:20,740
We see a list of certain processes and whether or not they're protected by DP What can we do to protect

100
00:09:20,740 --> 00:09:22,280
an additional program.

101
00:09:24,170 --> 00:09:31,020
We clicked the configure apps button and we indicate a program that we'd like to protect suppose that

102
00:09:31,020 --> 00:09:38,840
we'd like to protect a program from the CIS internal suits series let's select here to proceed XP program

103
00:09:41,000 --> 00:09:42,390
for Prossy XP.

104
00:09:42,500 --> 00:09:51,810
We can enforce IP protection or see what protection we can also enable SLR and additionally protect

105
00:09:51,810 --> 00:09:58,830
the program from the type of attack characteristic for Internet Explorer called heaps brai in a heap

106
00:09:58,830 --> 00:10:05,490
spray attack the attacker tries to multiply as code fragment which is injected for example as a parameter

107
00:10:05,490 --> 00:10:09,170
invoking a function.

108
00:10:09,420 --> 00:10:14,160
The more copies of the attackers many program that are placed on the heat the greater the chance that

109
00:10:14,160 --> 00:10:18,660
when it later overwrites the return address it will indicate its own code to execute

110
00:10:21,410 --> 00:10:27,260
spray allocates memory on the heap for the program in advance and makes sure that jumps in specific

111
00:10:27,290 --> 00:10:31,070
addresses are controlled.

112
00:10:31,090 --> 00:10:32,900
Therefore the question is raised.

113
00:10:34,290 --> 00:10:41,290
How can SLR be forced for a program that it does not support the program always wants to load at the

114
00:10:41,290 --> 00:10:42,320
same address.

115
00:10:47,020 --> 00:10:54,670
That e-mail program allocates memory for a program that we indicate then it makes it available of course.

116
00:10:54,670 --> 00:10:56,560
Emet supports SLR.

117
00:10:56,560 --> 00:11:04,220
So each time a given application starts in our case Prossy XP it will load it under a different operating

118
00:11:04,220 --> 00:11:06,570
memory address.

119
00:11:06,630 --> 00:11:08,510
This actually ends our protection

120
00:11:12,210 --> 00:11:14,340
after running process explorer.

121
00:11:14,400 --> 00:11:16,170
We see it in the emet program

122
00:11:19,010 --> 00:11:24,530
the IP protection is enabled for our process and it is virtualise and protected by emet according to

123
00:11:24,530 --> 00:11:26,420
the options we previously set.

124
00:11:29,040 --> 00:11:33,930
The same application that was previously susceptible to buffer overflow attacks is now resistant to

125
00:11:33,930 --> 00:11:37,650
these attacks without changing even a single line of code.