The FAQ in the documentation states that EMET doesn't use the OS implementation of ASLR, but it fails to state what the difference between its implementation and the OS(s?) implementation is, meaning you can't make an educated choice on whether using EMET's is a good idea.

I'm sure I found an answer to this once, but my Google-fu is weak today. Can anyone tell me the difference?

Now, lets dive into one of the unique EMET mitigations, Mandatory Address Space Layout Randomization (ASLR), to see how it works and how it helps prevent successful exploitation. Mandatory ASLR builds on the ASLR mitigation that has shipped with every version of the Windows operating system since Windows Vista. ASLR works by randomizing the addresses where executables and modules are loaded, which helps prevent an attacker from leveraging data at predictable locations. Because an attacker must guess where the data they need is located, a successful attack is less likely. There is a problem, though. Even when an application has opted in to ASLR, some of the dynamic-link library (DLL) files being used by the application can be placed at predictable locations. This happens when DLLs are not compiled with the /DYNAMICBASE linker option. However, when mandatory ASLR is enabled, EMET solves this problem by forcing the relocation of the DLLs.

http://technet.microsoft.com/en-us/security/gg524265.aspx

So my question becomes is this information still accurate for Windows 8 which made a number of changes to the ASLR implementation?

Hi Quitch,

Thanks for the link to the TechNet article it does provide a very useful explanation of how Mandatory ASLR works.

There is additional information in the following EMET thread:

http://social.technet.microsoft.com/Forums/en-US/emet/thread/70f0e91a-1b37-400f-826d-97a56d392c15

Within this thread there is a link to a YouTube video by Didier Stevens who explains EMETs ASLR in more detail. I have also mentioned (in that thread) where in that video he talks about this.

Here is my understanding of EMET's Mandatory ASLR: if the DLLs within an executable file were compiled with the /DYMANICBASE compiler link, EMET will not take any action. EMETs ASLR works by examining the preferred loading address of the DLLs within an executable file (when they dont already use the ASLR of the OS). EMET then pre-allocates those locations (most likely with default data or random data, just to fill in that memory location) and then provides a random memory location to the DLL being loaded so that the DLL is loaded at that address.

As Didier Stevens in the video linked to in the above thread mentions, EMETs ASLR is actually more random than the ASLR of the OS (this comment may not apply to Windows 8).

You correct about Windows 8, it did introduce improvements to ASLR. The best sources of information about these changes are the following links:

http://technet.microsoft.com/en-us/library/dn169048.aspx

http://blogs.windows.com/windows/b/business/archive/2013/02/27/windows-8-built-with-security-in-mind.aspx

http://gcn.com/Articles/2012/07/25/2nd-Black-Hat-Windows-8-improves-security.aspx?Page=1

http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf

This PDF was originally mentioned in the following blog post:

https://isc.sans.edu/diary/EMET+3.5%3A+The+Value+of+Looking+Through+an+Attacker's+Eyes/14797

My thanks to Chris Covington for bringing this very useful PDF to the attention of a wider audience.

Further technical details about ASLR and Force ASLR are available in the following links:

http://www.insanitybit.com/2012/11/09/windows-8-takes-aslr-to-the-next-level/

http://blog.ptsecurity.com/2012/12/windows-8-aslr-internals.html

http://support.microsoft.com/kb/2639308

While Windows 8 does bring significant improvements to ASLR, 3rd party programs are not obliged to use it. This is where EMET can assist by forcing such applications to use ASLR. This applies to Force ASLR too (as page 17 of the above PDF discusses), applications must opt-in to receive the benefits of Force ASLR.

I hope this helps. If I can answer any other related questions, please let me know.

Thank you.