Exploring Control Flow Guard in Windows 10

Discussion in 'other anti-malware software' started by Minimalist, Jan 31, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    So this basically aims at preventing indirect call targeting address of shellcode, then it won't conflict with EMET or HMPA (and maybe MBAE too.)
    Maybe quite effective for many use-after-free attack?
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,628
    Location:
    Toronto, Canada
    More here as well: http://blogs.msdn.com/b/vcblog/arch...review-work-in-progress-security-feature.aspx

    I was reading about this over the past few days and it seems quite interesting. It looks like CFG has to be enabled and compiled within the binaries and works for Windows 10 and also Windows 8.1 (November Update). The good thing is that it doesn't break the software if used on older OS which doesn't support CFG.

    I am curious as to whether or not EMET would be able to add this functionality. I'm not sure since CFG is added at compile time though. But not entirely sure if EMET could add that similar to how it injects it's .DLL into processes. It will be interesting to see. Good to see Microsoft thinking of newer mitigation methods, regardless.
     
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks for the link.
    Well, I also wonder and not sure if EMET can do. I personally hope regenpijp to chime in as he know those things better.
    Anyway it seems MS adds new mitigation every time when they release new OS, good thing except they don't spent much for non-latest OSes.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    After they release new version of OS, they usually don't add new features to old one. Only security updates.
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,027
    Location:
    Hengelo, The Netherlands
    The Control Flow Guard in Windows 8.1u3 and 10 is so-called fine-grained Control-Flow Integrity (CFI) and is pure a software implementation.

    The CFI feature in both EMET and HitmanPro.Alert is so-called coarse grained Control-Flow Integrity.
    In EMET it is a pure software implementation (Caller mitigation).
    In Alert it is both a software and hardware implementation (Control-Flow Integrity mitigation).

    Control Flow Guard requires support from both the operating system (Windows 8.1u3 or 10) and recompiling of an application and its DLLs (sources needed).

    EMET and Alert can apply CFI to any version of Windows (XP or newer) and can be applied to any binary, no recompiling required.

    Of course the Control Flow Guard in Windows 8.1u3 or 10 provides better coverage as it is fine grained, but it is currently impractical as there are no binaries supporting CFG and Windows 8.1u3 market share is still very low. However over time (many years) this will change.

    Hope this helps.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,628
    Location:
    Toronto, Canada
    Indeed, thank you very much for the detailed explanation.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks too!
    And I'm almost sure criminals will finally bypass this too.:D
     
Loading...