Microsoft EMET 4.0 Enables Certificate Pinning to Defeat MITM Attacks

Microsoft later this month will release a new version of its EMET protection tool, and this iteration will include a certificate pinning feature that will enable users to associate a specific certificate with a given certificate authority. The feature is designed a defense against man-in-the-middle attacks that use forged certificates to redirect users or intercept protected traffic.

Microsoft later this month will release a new version of its EMET protection tool, and this iteration will include a certificate pinning feature that will enable users to associate a specific certificate with a given certificate authority. The feature is designed a defense against man-in-the-middle attacks that use forged certificates to redirect users or intercept protected traffic.

EMET is a toolkit designed specifically to help prevent certain kinds of exploits from working on protected applications. For example, users can deploy EMET to get the advantages of DEP or ASLR in applications that were not compiled with those exploit mitigations enabled. The new version of EMET is due May 28 and is beta trim right now. The addition of certificate pinning is a significant one, although the feature only works by default when users are browsing with Internet Explorer.

Certificate pinning is a technique that can be used as a defense against attacks that take advantage of users’ trust in certificates and CAs, a trust that has been exploited many, many times in recent years. The compromises of Comodo, DigiNotar and other CAs have exposed the cracks in the CA infrastructure that have been there since its inception but rarely are noticed by anyone outside of the immediate vicinity. Attackers have discovered ways to issue fraudulent certificates to themselves for various important sites, notably Google, Mozilla, Yahoo and others.

Some of those attacks would not have been as damaging as they were if the users on the other end of the Web connection from the fake certificates had certificate pinning available. That defense would have allowed users to pin the Google SSL certificate to the Google Internet Authority, which issues the company’s legitimate certificates. EMET, which is meant as an enterprise tool, can help organizations fix that situation.

“EMET 4.0 comes with Certificate Trust enabled by default, including a set of pre-configured websites for the most common domains used by Microsoft online services; nevertheless, since we believe that certificate pinning is a useful tool to detect MITM attacks targeting any domain and not just Microsoft services, we designed Certificate Trust totally configurable, in order to allow any user to configure custom pinning rules that will be enforced when browsing the web with Internet Explorer,” Elia Florio of Microsoft wrote.

“EMET 4.0 has a main switch button in the system mitigation panel that can be used to activate or de-activate Certificate Trust. Once enabled, users have to specify which certificates and Root Certificate Authorities to trust. Users can verify that the Certificate Trust feature is activated from the EMET GUI by checking that the system status of this mitigation is “Enabled” and that Internet Explorer process (iexplore.exe) is in the list of configured apps (with or without memory mitigations enabled). This configuration allows EMET to inject into the protected process a new small module (EMET_CE.DLL) that will operate only within Internet Explorer to enforce the certificate pinning protection.”

There is a function in EMET 4.0 that allows advanced users to create some exceptions for certificate pinning, as well, based on variables such as key size and country of origin for the certificate. Users also can manually opt-in other executables for the certificate pinning, including another browser.

In addition to the certificate pinning feature, EMET 4.0 also includes protection against some techniques that researchers developed last year to bypass previous versions of the toolkit.

“For example, instead of hooking and protecting only functions at the kernel32!VirtualAlloc layer of the call stack, EMET 4.0 will additional hook lower level functions such as kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory.  These “Deep Hooks” can be configured in EMET’s Advanced Configuration.  We have seen exploits attempt to evade EMET hooks by executing a copy of the hooked function prologue and then jumping to the function past the prologue.  With EMET 4.0’s “Anti detours” option enabled, common shellcode using this technique will be blocked.  Finally, EMET 4.0 also includes a mechanism to block calls to banned API’s,” Microsoft said.

Suggested articles