Researchers discover design weakness to bypass Microsoft’s Control Flow Guard in Windows

Researchers from Italy’s University of Padua have discovered a fundamental design weakness in Control Flow Guard (CFG), which compromises the security of Windows 8.1 and Windows 10. Microsoft had first released the CFG in Windows 8.1 Update 3 and has since used in the subsequent Windows operating systems, including the latest version of Windows 10.

For those unaware, Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities in Windows. CFG places tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows.

However, Microsoft who wanted to improve performance and make CFG backward-compatible, have ended up making some design flaws in CFG to call portions of code that should not have been allowed. As a result of this flaw, it makes it easy for the attackers to bypass the CFG.

One of the researchers, Andrea Biondo, at the university, states that:

The [control flow] restriction is precise only when the allowed targets are aligned to 16 bytes. If they are not, then there is a 16-byte imprecision around the target […] By combining the presence of unaligned targets in common libraries with the predictability of the layout of functions generated by the compiler, we can bypass CFG.

The Italian researchers have dubbed this exploit as the Back to the Epilogue (BATE) attack, which they will be explaining in detail at the Black Hat Asia Conference this month. They will demonstrate how the flaw can be utilized in real-world scenarios by using a proof-of-concept code to bypass CFG on Microsoft’s Edge browser on Windows 10 (64-bit).

According to the report, more than 500 million Windows systems currently have the feature, which leaves them at risk of exploitation. Microsoft have been notified of the security issue by the researchers, which the company plans to fix as part of the upcoming Windows 10 RS4 release.

Source: Dark reading