This document lists the Mitigation Options and their purpose in the Settings screen when you create a New Enhanced Mitigation Action.
Data Execute Prevention (DEP)
Prevents attackers from using application code outside the areas of memory that are not explicitly marked as executable. DEP is a critical part of the broader set of exploit mitigation technologies developed by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS. These mitigation technologies complement one another; for example, DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass.
Structured Exception Handler Overwrite Protection (SEHOP)
Prevents attackers from making use of the Structured Exception Handler (SEH) overwrite exploitation technique. SEH overwrites are commonly used by exploits that target the increasing number of browser-based vulnerabilities. The SEHOP mitigation technique is made possible because of an implicit side effect of an SEH overwrite. When the majority of stack-based buffer overflows occur, an attacker will implicitly overwrite the next pointer of an exception registration record prior to overwriting the record’s exception handler function pointer. Because the next pointer is corrupted, the integrity of the exception handler chain is broken. This insight, in combination with ASLR, is what allows SEHOP to effectively mitigate SEH overwrites. For more information about SEHOP, go to the Microsoft TechNet Blogs at http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx.
Null Page Protection (NullPage) - Pre-allocates the null page to prevent exploits from using it for malicious purpose.
Heap Spray Protection (HeapSpray) - Pre-allocates areas of memory that are commonly used by attackers to allocate malicious code.
Export Address Table Filtering (EAF) - Regulates access to the Export Address Table (EAT) based on the calling code.
Export Address Table Filtering Plus (EAF+) - Blocks read attempts to export and import table addresses originating from modules commonly used to probe memory during the exploitation of memory corruption vulnerabilities.
Mandatory Address Space Layout Randomization (MandatoryASLR) - Randomizes the location where modules are loaded in memory, limiting the ability of an attacker to point to predetermined memory addresses.
Bottom-Up Address Space Layout Randomization (BottomUpASLR) - Improves the Mandatory ASLR mitigation by randomizing the base address of bottom-up allocations.
Load Library Protection (LoadLib) - Stops the loading of modules located in UNC paths, which is a common technique in Return Oriented Programming (ROP) attacks.
ROP Caller Check (Caller) - Stops the execution of critical functions if they are reached via a 'RET' instruction, which is a common technique in Return Oriented Programming (ROP) attacks.
ROP Simulate Exec Flow (SimExecFlow) - Reproduces the execution flow after the return address, trying to detect Return Oriented Programming (ROP) attacks.
Stack Pivot (StackPivot) - Checks if the stack pointer is changed to pint to attacker-controlled memory areas, which is a common technique in Return Oriented Programming (ROP) attacks.
Attack Surface Reduction (ASR) - Prevents defined modules from being loaded in the address space of the protected process.