Knowledge (XXG)

Control-flow integrity

Source 📝

262:
In the WAIT_FOR_ENDBRANCH state, the next instruction to be executed is required to be the new ENDBRANCH instruction (ENDBR32 in 32-bit mode or ENDBR64 in 64-bit mode), which changes the internal state machine from WAIT_FOR_ENDBRANCH back to IDLE. Thus every authorized target of an indirect JMP or CALL must begin with ENDBRANCH. If the processor is in a WAIT_FOR_ENDBRANCH state (meaning, the previous instruction was an indirect JMP or CALL), and the next instruction is not an ENDBRANCH instruction, the processor generates an INT #21 (Control Flow Protection Fault). On processors not supporting CET indirect branch tracking, ENDBRANCH instructions are interpreted as NOPs and have no effect.
216: 146: 296:, where a set bit indicates that the address is a valid destination. Before performing each indirect function call, the application checks if the destination address is in the bitmap. If the destination address is not in the bitmap, the program terminates. This makes it more difficult for an attacker to exploit a 261:
Indirect branch tracking detects indirect JMP or CALL instructions with unauthorized targets. It is implemented by adding a new internal state machine in the processor. The behavior of indirect JMP and CALL instructions is changed so that they switch the state machine from IDLE to WAIT_FOR_ENDBRANCH.
381:
XFG extends CFG by validating function call signatures to ensure that indirect function calls are only to the subset of functions with the same signature. Function call signature validation is implemented by adding instructions to store the target function's hash in register r10 immediately prior to
91:
Attackers seek to inject code into a program to make use of its privileges or to extract data from its memory space. Before executable code was commonly made read-only, an attacker could arbitrarily change the code as it is run, targeting direct transfers or even do with no transfers at all. After
257:
The shadow stack stores a copy of the return address of each CALL in a specially-protected shadow stack. On a RET, the processor checks if the return address stored in the normal stack and shadow stack are equal. If the addresses are not equal, the processor generates an INT #21 (Control Flow
96:
became widespread, an attacker wants to instead redirect execution to a separate, unprotected area containing the code to be run, making use of indirect transfers: one could overwrite the virtual table for a forward-edge attack or change the call stack for a backward-edge attack
382:
the indirect call and storing the calculated function hash in the memory immediately preceding the target address's code. When the indirect call is made, the XFG validation function compares the value in r10 to the target function's stored hash.
622: 72:, in that the target address itself is a variable in memory or a CPU register. In a typical function call, the program performs a direct call, but returns to the caller function using the stack – an indirect 357:
Use a function call with a different number of arguments than the call is designed for, causing a stack misalignment, and code execution after the function returns (patched in Windows 10).
904: 817: 630: 360:
Use a function call with the same number of arguments, but one of pointers passed is treated as an object and writes to a pointer-based offset, allowing overwriting a return address.
378:
eXtended Flow Guard (XFG) has not been officially released yet, but is available in the Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019.
494: 962: 133:(LLVM in general), Microsoft's Control Flow Guard and Return Flow Guard, Google's Indirect Function-Call Checks and Reuse Attack Protector (RAP). 828: 1102: 1050: 570: 704: 597: 325:
The 5th bit of the bit offset is set to 0 if the destination address is aligned with 0x10 (last four bits are 0), and 1 if it is not.
687: 676:
Tice, Caroline; Roeder, Tom; Collingbourne, Peter; Checkoway, Stephen; Erlingsson, Úlfar; Lozano, Luis; Pike, Geoff (2014-01-01).
520: 64:
A computer program commonly changes its control flow to make decisions and use different parts of the code. Such transfers may be
433:
Burow, Nathan; Carr, Scott A.; Nash, Joseph; Larsen, Per; Franz, Michael; Brunthaler, Stefan; Payer, Mathias (31 January 2018).
1199: 986: 677: 1077: 98: 785: 1194: 391: 282: 880: 188:" scheme that defends on the backward edge by checking for call stack modifications, available only for aarch64. 369:
Use a controlled-write primitive to overwrite an address on the stack (since the stack is not protected by CFG)
251: 322:
The bit offset is a 5-bit value. The first four bits are the 4th through 8th low-order bits of the address.
200: 181: 28: 929: 905:"Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security" 246:
Intel Control-flow Enforcement Technology (CET) detects compromises to control flow integrity with a
118: 1126: 799: 1146: 300:
by replacing an object's contents and then using an indirect function call to execute a payload.
415: 203:(LTO) and CFI since 2018. SCS is available for Linux kernel as an option, including on Android. 683: 274:
Update 3 (KB3000850) in November 2014. Developers can add CFG to their programs by adding the
185: 45: 184:(LTO) to know what functions are supposed to be called in normal cases. There is a separate " 446: 285:(Windows 10 version 1703), the Windows kernel is compiled with CFG. The Windows kernel uses 176:
LLVM/Clang provides a "CFI" option that works in the forward edge by checking for errors in
77: 651: 363:
Overwrite the function call used by the CFG to validate the address (patched in March 2015)
109:
Associated techniques include code-pointer separation (CPS), code-pointer integrity (CPI),
470: 963:"Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3" 749: 545: 297: 571:"Microsoft's malware mitigator refreshed, but even Redmond says it's no longer needed" 215: 145: 17: 1188: 1168:"Exploit Development: Between a Rock and a (Xtended Flow) Guard Place: Examining XFG" 1016: 466: 177: 101:). CFI is designed to protect indirect transfers from going to unintended locations. 81: 623:"DerbyCon: Former BlueHat prize winner will bypass Control Flow Guard in Windows 10" 767: 575: 351:
Set the destination to code located in a non-CFG module loaded in the same process.
247: 196: 192: 114: 110: 53: 1167: 852: 271: 1045: 1043: 1041: 1039: 1103:"Object Oriented Exploitation: New techniques in Windows mitigation bypass" 1011: 1009: 354:
Find an indirect call that was not protected by CFG (either CALL or JMP).
286: 49: 598:"Bypass Developed for Microsoft Memory Protection, Control Flow Guard" 316:
Convert the target address to an offset and bit number in the bitmap.
729: 293: 956: 954: 952: 451: 434: 366:
Set the CFG bitmap to all 1's, allowing all indirect function calls
278:
linker flag before program linking in Visual Studio 2015 or newer.
336:
If the target address is not in the bitmap, terminate the program.
289:
to prevent malicious kernel code from overwriting the CFG bitmap.
130: 495:"Adobe Flash Bug Discovery Leads To New Attack Mitigation Method" 333:
If the target address is in the bitmap, return without an error.
93: 679:
Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM
68:, in that the target address is written in the code itself, or 435:"Control-Flow Integrity: Precision, Security, and Performance" 210: 140: 875: 873: 786:"Clang LTO Patches Updated for the Linux Kernel - Phoronix" 471:"On differences between the CFI, CPS, and CPI properties" 750:"Control Flow Integrity — Clang 17.0.0git documentation" 347:
There are several generic techniques for bypassing CFG:
312:
function is called, which performs the following steps:
227: 157: 319:
The highest 3 bytes are the byte offset in the bitmap
930:"Universally Bypassing CFG Through Mutability Abuse" 705:"PaX Team stellt Schutz vor Code Reuse Exploits vor" 52:
attacks from redirecting the flow of execution (the
818:"Control-flow Enforcement Technology Specification" 546:"Control Flow Integrity — Clang 3.9 documentation" 31:, the flash memory device identification standard. 768:"ShadowCallStack — Clang 17.0.0git documentation" 330:Examine the target's address value in the bitmap 1078:"An interesting detail about Control Flow Guard" 270:Control Flow Guard (CFG) was first released for 308:For all protected indirect function calls, the 602:Threatpost | The first stop for security news 8: 1051:"Bypass Control Flow Guard Comprehensively" 1147:"EXTENDED FLOW GUARD UNDER THE MICROSCOPE" 853:"R.I.P ROP: CET Internals in Windows 20H1" 521:"Endgame to Present at Black Hat USA 2016" 48:techniques that prevent a wide variety of 1017:"Windows 10 Control Flow Guard Internals" 450: 416:"Control-Flow Integrity: An Introduction" 207:Intel Control-flow Enforcement Technology 129:Related implementations are available in 409: 407: 403: 292:CFG operates by creating a per-process 730:"Frequently Asked Questions About RAP" 857:Winsider Seminars & Solutions Inc 7: 25: 961:Falcón, Francisco (2015-03-25). 621:Smith, Ms. (23 September 2015). 214: 144: 1101:Thomas, Sam (18 August 2016). 703:Security, heise (4 May 2016). 596:Mimoso, Michael (2015-09-22). 180:and type casts. It depends on 84:, we say there is an indirect 1: 374:Microsoft eXtended Flow Guard 1127:"Advancing Windows Security" 266:Microsoft Control Flow Guard 804:Android Open Source Project 99:return-oriented programming 1216: 392:Buffer overflow protection 283:Windows 10 Creators Update 80:is called, such as from a 26: 34:Term in computer security 469:; Kuznetsov, Volodymyr. 252:indirect branch tracking 44:) is a general term for 27:Not to be confused with 199:compiled by Clang with 1200:Control flow integrity 304:Implementation details 201:link-time optimization 182:link-time optimization 121:pointer verification. 38:Control-flow integrity 29:Common Flash Interface 18:Control flow integrity 633:on September 27, 2015 439:ACM Computing Surveys 987:"Control Flow Guard" 881:"Control Flow Guard" 825:Intel Developer Zone 682:. pp. 941–955. 937:Alex Ionescu's Blog 652:"Return Flow Guard" 258:Protection Fault). 191:Google has shipped 1024:Power of Community 525:www.prnewswire.com 501:. 10 November 2015 310:_guard_check_icall 226:. You can help by 156:. You can help by 1195:Computer security 909:Microsoft Technet 800:"ShadowCallStack" 658:. 2 November 2016 343:Bypass techniques 244: 243: 186:shadow call stack 174: 173: 76:transfer. When a 46:computer security 16:(Redirected from 1207: 1179: 1178: 1176: 1175: 1170:. 23 August 2020 1164: 1158: 1157: 1155: 1154: 1143: 1137: 1136: 1134: 1133: 1123: 1117: 1116: 1114: 1113: 1098: 1092: 1091: 1089: 1088: 1074: 1068: 1067: 1065: 1064: 1055: 1047: 1034: 1033: 1031: 1030: 1021: 1013: 1004: 1003: 1001: 1000: 991: 983: 977: 976: 974: 973: 958: 947: 946: 944: 943: 934: 926: 920: 919: 917: 916: 901: 895: 894: 892: 891: 877: 868: 867: 865: 864: 859:. 5 January 2020 849: 843: 842: 840: 839: 833: 827:. Archived from 822: 814: 808: 807: 796: 790: 789: 782: 776: 775: 764: 758: 757: 746: 740: 739: 737: 736: 726: 720: 719: 717: 716: 700: 694: 693: 673: 667: 666: 664: 663: 648: 642: 641: 639: 638: 629:. Archived from 618: 612: 611: 609: 608: 593: 587: 586: 584: 583: 566: 560: 559: 557: 556: 542: 536: 535: 533: 532: 516: 510: 509: 507: 506: 491: 485: 484: 482: 481: 463: 457: 456: 454: 430: 424: 423: 414:Payer, Mattias. 411: 311: 277: 239: 236: 218: 211: 169: 166: 148: 141: 78:function pointer 56:) of a program. 21: 1215: 1214: 1210: 1209: 1208: 1206: 1205: 1204: 1185: 1184: 1183: 1182: 1173: 1171: 1166: 1165: 1161: 1152: 1150: 1145: 1144: 1140: 1131: 1129: 1125: 1124: 1120: 1111: 1109: 1100: 1099: 1095: 1086: 1084: 1076: 1075: 1071: 1062: 1060: 1053: 1049: 1048: 1037: 1028: 1026: 1019: 1015: 1014: 1007: 998: 996: 989: 985: 984: 980: 971: 969: 960: 959: 950: 941: 939: 932: 928: 927: 923: 914: 912: 903: 902: 898: 889: 887: 879: 878: 871: 862: 860: 851: 850: 846: 837: 835: 831: 820: 816: 815: 811: 798: 797: 793: 784: 783: 779: 766: 765: 761: 748: 747: 743: 734: 732: 728: 727: 723: 714: 712: 702: 701: 697: 690: 675: 674: 670: 661: 659: 650: 649: 645: 636: 634: 620: 619: 615: 606: 604: 595: 594: 590: 581: 579: 569:Pauli, Darren. 568: 567: 563: 554: 552: 544: 543: 539: 530: 528: 527:(Press release) 518: 517: 513: 504: 502: 493: 492: 488: 479: 477: 465: 464: 460: 452:10.1145/3054924 432: 431: 427: 413: 412: 405: 400: 388: 376: 345: 309: 306: 275: 268: 240: 234: 231: 224:needs expansion 209: 170: 164: 161: 154:needs expansion 139: 127: 125:Implementations 107: 62: 35: 32: 23: 22: 15: 12: 11: 5: 1213: 1211: 1203: 1202: 1197: 1187: 1186: 1181: 1180: 1159: 1138: 1118: 1093: 1069: 1035: 1005: 978: 948: 921: 911:. 16 June 2017 896: 869: 844: 809: 791: 777: 772:clang.llvm.org 759: 754:clang.llvm.org 741: 721: 695: 688: 668: 643: 613: 588: 561: 550:clang.llvm.org 537: 511: 486: 467:Payer, Mathias 458: 425: 402: 401: 399: 396: 395: 394: 387: 384: 375: 372: 371: 370: 367: 364: 361: 358: 355: 352: 344: 341: 340: 339: 338: 337: 334: 328: 327: 326: 323: 320: 305: 302: 298:use-after-free 267: 264: 242: 241: 221: 219: 208: 205: 178:virtual tables 172: 171: 165:September 2020 151: 149: 138: 135: 126: 123: 111:stack canaries 106: 103: 61: 58: 33: 24: 14: 13: 10: 9: 6: 4: 3: 2: 1212: 1201: 1198: 1196: 1193: 1192: 1190: 1169: 1163: 1160: 1149:. 18 May 2021 1148: 1142: 1139: 1128: 1122: 1119: 1108: 1104: 1097: 1094: 1083: 1079: 1073: 1070: 1059: 1052: 1046: 1044: 1042: 1040: 1036: 1025: 1018: 1012: 1010: 1006: 995: 988: 982: 979: 968: 967:Core Security 964: 957: 955: 953: 949: 938: 931: 925: 922: 910: 906: 900: 897: 886: 882: 876: 874: 870: 858: 854: 848: 845: 834:on 2017-08-14 830: 826: 819: 813: 810: 805: 801: 795: 792: 787: 781: 778: 773: 769: 763: 760: 755: 751: 745: 742: 731: 725: 722: 710: 706: 699: 696: 691: 689:9781931971157 685: 681: 680: 672: 669: 657: 653: 647: 644: 632: 628: 627:Network World 624: 617: 614: 603: 599: 592: 589: 578: 577: 572: 565: 562: 551: 547: 541: 538: 526: 522: 515: 512: 500: 496: 490: 487: 476: 475:nebelwelt.net 472: 468: 462: 459: 453: 448: 444: 440: 436: 429: 426: 421: 420:nebelwelt.net 417: 410: 408: 404: 397: 393: 390: 389: 385: 383: 379: 373: 368: 365: 362: 359: 356: 353: 350: 349: 348: 342: 335: 332: 331: 329: 324: 321: 318: 317: 315: 314: 313: 303: 301: 299: 295: 290: 288: 284: 279: 273: 265: 263: 259: 255: 253: 249: 238: 229: 225: 222:This section 220: 217: 213: 212: 206: 204: 202: 198: 194: 189: 187: 183: 179: 168: 159: 155: 152:This section 150: 147: 143: 142: 136: 134: 132: 124: 122: 120: 116: 115:shadow stacks 112: 104: 102: 100: 95: 89: 87: 83: 82:virtual table 79: 75: 74:backward-edge 71: 67: 59: 57: 55: 51: 47: 43: 39: 30: 19: 1172:. Retrieved 1162: 1151:. Retrieved 1141: 1130:. Retrieved 1121: 1110:. Retrieved 1106: 1096: 1085:. Retrieved 1081: 1072: 1061:. Retrieved 1057: 1027:. Retrieved 1023: 997:. Retrieved 993: 981: 970:. Retrieved 966: 940:. Retrieved 936: 924: 913:. Retrieved 908: 899: 888:. Retrieved 884: 861:. Retrieved 856: 847: 836:. Retrieved 829:the original 824: 812: 803: 794: 780: 771: 762: 753: 744: 733:. Retrieved 724: 713:. Retrieved 708: 698: 678: 671: 660:. Retrieved 655: 646: 635:. Retrieved 631:the original 626: 616: 605:. Retrieved 601: 591: 580:. Retrieved 576:The Register 574: 564: 553:. Retrieved 549: 540: 529:. Retrieved 524: 514: 503:. Retrieved 499:Dark Reading 498: 489: 478:. Retrieved 474: 461: 442: 438: 428: 419: 380: 377: 346: 307: 291: 280: 269: 260: 256: 248:shadow stack 245: 235:January 2021 232: 228:adding to it 223: 197:Linux kernel 190: 175: 162: 158:adding to it 153: 128: 108: 90: 86:forward-edge 85: 73: 69: 65: 63: 54:control flow 41: 37: 36: 994:Trend Micro 711:(in German) 445:(1): 1–33. 272:Windows 8.1 1189:Categories 1174:2021-05-19 1153:2021-05-19 1132:2021-05-19 1112:2017-01-19 1107:Slideshare 1087:2017-01-19 1063:2017-01-19 1029:2017-01-19 999:2017-01-19 972:2017-01-19 942:2017-07-07 915:2017-06-20 890:2017-01-19 863:2021-01-05 838:2021-01-05 735:2016-06-01 715:2016-06-01 662:2017-01-19 637:2016-06-01 607:2016-06-01 582:2016-06-01 555:2016-06-01 531:2016-06-01 505:2016-06-01 480:2016-06-01 398:References 137:LLVM/Clang 105:Techniques 88:transfer. 60:Background 519:Endgame. 276:/guard:cf 250:(SS) and 195:with the 1058:BlackHat 709:Security 386:See also 70:indirect 1082:Bromium 656:Tencent 287:Hyper-V 254:(IBT). 193:Android 50:malware 686:  294:bitmap 281:As of 119:vtable 117:, and 66:direct 1054:(PDF) 1020:(PDF) 990:(PDF) 933:(PDF) 832:(PDF) 821:(PDF) 131:Clang 885:MSDN 684:ISBN 447:doi 230:. 160:. 94:W^X 42:CFI 1191:: 1105:. 1080:. 1056:. 1038:^ 1022:. 1008:^ 992:. 965:. 951:^ 935:. 907:. 883:. 872:^ 855:. 823:. 802:. 770:. 752:. 707:. 654:. 625:. 600:. 573:. 548:. 523:. 497:. 473:. 443:50 441:. 437:. 418:. 406:^ 113:, 1177:. 1156:. 1135:. 1115:. 1090:. 1066:. 1032:. 1002:. 975:. 945:. 918:. 893:. 866:. 841:. 806:. 788:. 774:. 756:. 738:. 718:. 692:. 665:. 640:. 610:. 585:. 558:. 534:. 508:. 483:. 455:. 449:: 422:. 237:) 233:( 167:) 163:( 97:( 40:( 20:)

Index

Control flow integrity
Common Flash Interface
computer security
malware
control flow
function pointer
virtual table
W^X
return-oriented programming
stack canaries
shadow stacks
vtable
Clang

adding to it
virtual tables
link-time optimization
shadow call stack
Android
Linux kernel
link-time optimization

adding to it
shadow stack
indirect branch tracking
Windows 8.1
Windows 10 Creators Update
Hyper-V
bitmap
use-after-free

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.