An In-depth Look at Control Flow Guard Technology in Windows 10

An In-depth Look at Control Flow Guard Technology in Windows 10 View paper: An In-depth Look at Control Flow Guard Technology in Windows 10

One reason why software vulnerabilities are favored by threat actors is that they provide a window of opportunity to affect user systems that are normally secured and protected. This especially rings true for zero-day attacks. Threat actors can easily abuse the window between the time of discovery and patching. With no patch available, pretty much any computer running vulnerable software can be a potential victim to attacks.      

Vulnerabilities have also become a more serious issue as years progress. The total number of disclosed vulnerabilities per year almost hit 10,000. In 2014, major vulnerabilities like Heartbleed, Shellshock, Poodle, and WinShock have became known for their severe impact, widespread attack surface, and difficulty in patching. Furthermore, many targeted attack campaigns use zero-day vulnerabilities to compromise systems.

Developers have made efforts to improve exploit mitigation technology, and Microsoft has enabled Control Flow Guard (CFG), a new mechanism in Windows 10 and in Windows 8.1 Update 3 (released last November) by default.

Previous mitigation techniques like address space layout randomization (ASLR) and Data Execution Prevention (DEP) have been successful in making exploitation of vulnerabilities more difficult, even if these techniques are not perfect. ASLR causes the development of heap sprays, and DEP results in return-oriented-programming (ROP) techniques showing up in the exploit code.

So what exactly is CFG? CFG is a new mechanism that developers can enable for their program. Enabling this option will insert extra security checks that will detect attempts to hijack the original code. According to a MSDN blog post:

“So, even though the original code contained a bug that was exploitable by an attacker; and even though the authors of the code were not aware of that bug, and had not fixed it; and even though an attacker succeeded in his first steps to exploit the security hole; nonetheless, CFG will stop the attack from causing subsequent damage.”

For more details on Control Flow Guard technology, read our Trend Micro paper Exploring Control Flow Guard in Windows 10.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.