26.02.2014, 08:13
Ponieważ MBAE jest podobnie działającym i chroniącym programem, zadawano sobie pytanie, czy również i jego dotyczy problem obejścia osłon EMET 4.1...nie ma jednoznacznej odpowiedzi ani adekwatnych testów, jest natomiast komentarz autora programu nieco rozsiany po wątku na Wildersach
Cytat: ZeroVulnLabs
Developer (aka "pbust")
It''s good that there are new anti-exploit products coming to market, it shows there is a need that is not being filled by traditional security products. Looking forward to actually testing the product. This one seems like a copycat of EMET which activates various OS protections, although with some improvements. The important thing however is not the number of activated techniques but the detection logic which applies those techniques, as many individual techniques can and have been bypassed.
MBAE as you know takes a different and proven approach to blocking exploits than EMET and this is not reflected in the comparison. For example in addition to memory protections MBAE also has other protection layers which look at application behavior and which prevents exploits even when there are bypasses for those memory protections or sandbox escapes.
Many things shown as negatives on the table we do internally or using other methods not reflected in the table, like for example the per process mitigation. The fact we internally finetune and apply our techniques per process means it is a benefit (instead of a negative) in terms of stability, compatibility and provides the best protection for that specific application, as opposed to applying standard mitigations which can cause incompatibilities such as the known EMET issues. It also means end users who are not experienced vulnerability researchers might turn off important mitigations or not turn on the correct ones for a specific application. Also there are some incorrect statements in the table and irrelevant ones when comparing exploit mitigations (the last 6 or so).
[Aby zobaczyć linki, zarejestruj się tutaj]
Cytat: Quote:
Cytat: Originally Posted by harshisthere
I am skeptical about MBAE because no one has till now made a recommendation that it works. The ones like Fire eye or bromium and others who expose so many exploits. They all recommend EMET.
MBAE, in addition to the memory protections similar to those found in EMET (and some not found in EMET) also has a different layer of application behavior protection which has been proven time and again in stopping memory protection bypasses and sandbox escapes as in the typical Java exploits found ITW which bypass even EMET 4.1 (haven''t looked at the default install of EMET 5.0 yet). In this particular scenario it would likely prevent the payload from running after all the memory protections have been bypassed.
But as others have said above, MBAE is still beta and we continue developing, adding new techniques every new beta version that is released and we have bigger plans for it in the near future which prevent the limitations inherent in userland protections. Due that we don''t have time to spend on researching bypasses for EMET and other popular applications, but once we get closer to release I hope we''ll be able to dedicate some resources to that as well.
"Bezpieczeństwo jest podróżą, a nie celem samym w sobie - to nie jest problem, który można rozwiązać raz na zawsze"
"Zaufanie nie stanowi kontroli, a nadzieja nie jest strategią"
"Zaufanie nie stanowi kontroli, a nadzieja nie jest strategią"