I'm not sure if it is correct place, so move it if it's incorrect. It seems there's not many info about this new exploit mitigation started from Windows 10 RS2. I could only find this Tencent review. [EDIT] Fogot to capitarize g on title, can mod correct that?
Some good details here as well: http://redplait.blogspot.ca/2016/10/rfg-patches-in-windows-10-build-14942.html Also some detailed tweets from Alex Ionescu (https://twitter.com/aionescu/with_replies) regarding RFG on Nov 1 and Oct 28. So my understanding here is that return flow guard steps in where control flow guard limitations end, therefore targeting more for ROP. But thee are still many more details that we don't know. I am looking forward to whenever Trend Micro decides to break it down because they had great breakdowns on control flow guard previously. I did some brief testing with return flow guard last night in a virtual machine with the latest Insider build. EDIT: Also, see the following link that I posted in the Windows 10 forum: Windows 10 Mitigation Improvements (.PDF / Blackhat US 2016) Link: https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf That document does not cover RFG (unless I missed it), but it does document and show the evolution and timeline of certain mitigations including some details for Control Flow Guard. That shows the limitations of CFG and therefore hence we have the need for RFG now. It is actually quite interesting to see with each upgrade to Windows 10 OS comes along new security improvements.
Enabled Return Flow Guard on my Windows 10 Pro through registry setting and the good news is . . . . . . . HPMA Alert test tool fails to open calculator for all exploits tests when targeting explorer.exe
this one? Code: \Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager\kernel EnableRfg : REG_DWORD
My understanding is that the combination of CFG + RFG is what will stop EMET from functioning correctly on Windows 10 Creators Update. Or at the very least it would kill EAF/EAF+, along with who knows what other security software. CFG + RFG on their own, built in kernel checks, will be fundamental against ROP because that is where CFG alone had some limitations. The beauty of CFG + RFG is very minimal (if any) performance implications. It seems that with each iteration of Windows 10 (major) updates, Microsoft has implemented more and more security mitigation mechanisms for proactive security. Fonts parsed within AppContainer sandbox. Windows Defender running as a Protected Process-Light. SmartScreen, for what it's worth. Microsoft has implemented multiple layers of proactive security in all of the right places. Yet some people who are still paranoid about all of the privacy related news for Windows 10 fail to see many of these security improvements occurring under the hood. Anyway, I am most definitely looking forward to more technical analysis regarding Return Flow Guard. Particularly which flags would be used to compile with visual studio and so on. Certainly Chromium developers will take advantage of this when the time comes.
I've trialed Device Guard and Credential Guard and it does lock down the Windows environment. But it's a bit of a pain to get working. You have to white list certain apps you want to be able to run. It locks down Windows pretty tight. I assume Return Flow Guard is more of the same? Do you have to white list apps?
True. Despite I am kind of new to security and privacy affairs, I agree with guest on this. Have perceived a lot of distress in people with lots of privacy concerns.
So, it's gonna be enable by default in the next update? It does seem like they're stressing themselves by arguing which update is bad or good. Not to mention having to constantly block telemetry data/connections because Microsoft is "evil".
Being paranoid about anything gives you stress. One needs to stay away from Wilders from time to time...too much influence here. VERY easy to look at things from a dismal point of view.
Hmm interesting No stress there. Just install only security updates and ditch Windows in the long term
http://dl.surfright.nl/hmpalert-test.exe http://dl.surfright.nl/hmpalert64-test.exe http://www.surfright.nl/en/downloads When adding the registry key does the dword have a value of 0 or 1? \Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager\kernel EnableRfg : REG_DWORD
Finally got some confirmation for this question from a Chromium developer: Source: https://bugs.chromium.org/p/chromium/issues/detail?id=659765#c5
Did you happen to try HMPA Test Tool before setting RFG? On my fresh Windows 10 Enterprise installation I was not able to open calculator when targeting explorer.exe even without RFG...
