Design Weakness in Microsoft CFG Allows Complete Bypass

A widely deployed security mechanism in Windows that is designed to prevent attackers from exploiting memory corruption errors can be completely bypassed because of a fundamental design weakness, according to researchers.

The design flaw exists in Control Flow Guard (CFG), a mechanism that Microsoft has implemented in all Windows operating systems from Windows 8.1 to the latest version of Windows 10. CFG, like Microsoft’s Address Space Randomization Layer (ASLR), is one of several countermeasures that have been deployed in recent years to protect against exploits targeting memory corruption vulnerabilities in software. More than 500 million Windows systems have the feature currently.

As the researchers from the University of Padua, Italy explain in a technical paper describing their exploit, CFG is designed to prevent attackers from hijacking a program’s control flow and directing it toward their own malicious code. However, a vulnerability in the CFG design gives attackers a way to call portions of code — or gadgets — that should not be allowed and that can be chained together to bypass CFG restrictions entirely, according to the paper.

Read more about the technique to evade CFG, which will be demonstrated by the researchers who discovered it at Black Hat Asia, on DarkReading.

Track the strategic threats to your business with the Threat Brief, delivered to your email daily.

Subscribe Here