262:
In the WAIT_FOR_ENDBRANCH state, the next instruction to be executed is required to be the new ENDBRANCH instruction (ENDBR32 in 32-bit mode or ENDBR64 in 64-bit mode), which changes the internal state machine from WAIT_FOR_ENDBRANCH back to IDLE. Thus every authorized target of an indirect JMP or CALL must begin with ENDBRANCH. If the processor is in a WAIT_FOR_ENDBRANCH state (meaning, the previous instruction was an indirect JMP or CALL), and the next instruction is not an ENDBRANCH instruction, the processor generates an INT #21 (Control Flow
Protection Fault). On processors not supporting CET indirect branch tracking, ENDBRANCH instructions are interpreted as NOPs and have no effect.
216:
146:
296:, where a set bit indicates that the address is a valid destination. Before performing each indirect function call, the application checks if the destination address is in the bitmap. If the destination address is not in the bitmap, the program terminates. This makes it more difficult for an attacker to exploit a
261:
Indirect branch tracking detects indirect JMP or CALL instructions with unauthorized targets. It is implemented by adding a new internal state machine in the processor. The behavior of indirect JMP and CALL instructions is changed so that they switch the state machine from IDLE to WAIT_FOR_ENDBRANCH.
381:
XFG extends CFG by validating function call signatures to ensure that indirect function calls are only to the subset of functions with the same signature. Function call signature validation is implemented by adding instructions to store the target function's hash in register r10 immediately prior to
91:
Attackers seek to inject code into a program to make use of its privileges or to extract data from its memory space. Before executable code was commonly made read-only, an attacker could arbitrarily change the code as it is run, targeting direct transfers or even do with no transfers at all. After
257:
The shadow stack stores a copy of the return address of each CALL in a specially-protected shadow stack. On a RET, the processor checks if the return address stored in the normal stack and shadow stack are equal. If the addresses are not equal, the processor generates an INT #21 (Control Flow
96:
became widespread, an attacker wants to instead redirect execution to a separate, unprotected area containing the code to be run, making use of indirect transfers: one could overwrite the virtual table for a forward-edge attack or change the call stack for a backward-edge attack
382:
the indirect call and storing the calculated function hash in the memory immediately preceding the target address's code. When the indirect call is made, the XFG validation function compares the value in r10 to the target function's stored hash.
622:
72:, in that the target address itself is a variable in memory or a CPU register. In a typical function call, the program performs a direct call, but returns to the caller function using the stack – an indirect
357:
Use a function call with a different number of arguments than the call is designed for, causing a stack misalignment, and code execution after the function returns (patched in
Windows 10).
904:
817:
630:
360:
Use a function call with the same number of arguments, but one of pointers passed is treated as an object and writes to a pointer-based offset, allowing overwriting a return address.
378:
eXtended Flow Guard (XFG) has not been officially released yet, but is available in the
Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019.
494:
962:
133:(LLVM in general), Microsoft's Control Flow Guard and Return Flow Guard, Google's Indirect Function-Call Checks and Reuse Attack Protector (RAP).
828:
1102:
1050:
570:
704:
597:
325:
The 5th bit of the bit offset is set to 0 if the destination address is aligned with 0x10 (last four bits are 0), and 1 if it is not.
687:
676:
Tice, Caroline; Roeder, Tom; Collingbourne, Peter; Checkoway, Stephen; Erlingsson, Úlfar; Lozano, Luis; Pike, Geoff (2014-01-01).
520:
64:
A computer program commonly changes its control flow to make decisions and use different parts of the code. Such transfers may be
433:
Burow, Nathan; Carr, Scott A.; Nash, Joseph; Larsen, Per; Franz, Michael; Brunthaler, Stefan; Payer, Mathias (31 January 2018).
1199:
986:
677:
1077:
98:
785:
1194:
391:
282:
880:
188:" scheme that defends on the backward edge by checking for call stack modifications, available only for aarch64.
369:
Use a controlled-write primitive to overwrite an address on the stack (since the stack is not protected by CFG)
251:
322:
The bit offset is a 5-bit value. The first four bits are the 4th through 8th low-order bits of the address.
200:
181:
28:
929:
905:"Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security"
246:
Intel
Control-flow Enforcement Technology (CET) detects compromises to control flow integrity with a
118:
1126:
799:
1146:
300:
by replacing an object's contents and then using an indirect function call to execute a payload.
415:
203:(LTO) and CFI since 2018. SCS is available for Linux kernel as an option, including on Android.
683:
274:
Update 3 (KB3000850) in
November 2014. Developers can add CFG to their programs by adding the
185:
45:
184:(LTO) to know what functions are supposed to be called in normal cases. There is a separate "
446:
285:(Windows 10 version 1703), the Windows kernel is compiled with CFG. The Windows kernel uses
176:
LLVM/Clang provides a "CFI" option that works in the forward edge by checking for errors in
77:
651:
363:
Overwrite the function call used by the CFG to validate the address (patched in March 2015)
109:
Associated techniques include code-pointer separation (CPS), code-pointer integrity (CPI),
470:
963:"Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3"
749:
545:
297:
571:"Microsoft's malware mitigator refreshed, but even Redmond says it's no longer needed"
215:
145:
17:
1188:
1168:"Exploit Development: Between a Rock and a (Xtended Flow) Guard Place: Examining XFG"
1016:
466:
177:
101:). CFI is designed to protect indirect transfers from going to unintended locations.
81:
623:"DerbyCon: Former BlueHat prize winner will bypass Control Flow Guard in Windows 10"
767:
575:
351:
Set the destination to code located in a non-CFG module loaded in the same process.
247:
196:
192:
114:
110:
53:
1167:
852:
271:
1045:
1043:
1041:
1039:
1103:"Object Oriented Exploitation: New techniques in Windows mitigation bypass"
1011:
1009:
354:
Find an indirect call that was not protected by CFG (either CALL or JMP).
286:
49:
598:"Bypass Developed for Microsoft Memory Protection, Control Flow Guard"
316:
Convert the target address to an offset and bit number in the bitmap.
729:
293:
956:
954:
952:
451:
434:
366:
Set the CFG bitmap to all 1's, allowing all indirect function calls
278:
linker flag before program linking in Visual Studio 2015 or newer.
336:
If the target address is not in the bitmap, terminate the program.
289:
to prevent malicious kernel code from overwriting the CFG bitmap.
130:
495:"Adobe Flash Bug Discovery Leads To New Attack Mitigation Method"
333:
If the target address is in the bitmap, return without an error.
93:
679:
Enforcing
Forward-Edge Control-Flow Integrity in GCC & LLVM
68:, in that the target address is written in the code itself, or
435:"Control-Flow Integrity: Precision, Security, and Performance"
210:
140:
875:
873:
786:"Clang LTO Patches Updated for the Linux Kernel - Phoronix"
471:"On differences between the CFI, CPS, and CPI properties"
750:"Control Flow Integrity — Clang 17.0.0git documentation"
347:
There are several generic techniques for bypassing CFG:
312:
function is called, which performs the following steps:
227:
157:
319:
The highest 3 bytes are the byte offset in the bitmap
930:"Universally Bypassing CFG Through Mutability Abuse"
705:"PaX Team stellt Schutz vor Code Reuse Exploits vor"
52:
attacks from redirecting the flow of execution (the
818:"Control-flow Enforcement Technology Specification"
546:"Control Flow Integrity — Clang 3.9 documentation"
31:, the flash memory device identification standard.
768:"ShadowCallStack — Clang 17.0.0git documentation"
330:Examine the target's address value in the bitmap
1078:"An interesting detail about Control Flow Guard"
270:Control Flow Guard (CFG) was first released for
308:For all protected indirect function calls, the
602:Threatpost | The first stop for security news
8:
1051:"Bypass Control Flow Guard Comprehensively"
1147:"EXTENDED FLOW GUARD UNDER THE MICROSCOPE"
853:"R.I.P ROP: CET Internals in Windows 20H1"
521:"Endgame to Present at Black Hat USA 2016"
48:techniques that prevent a wide variety of
1017:"Windows 10 Control Flow Guard Internals"
450:
416:"Control-Flow Integrity: An Introduction"
207:Intel Control-flow Enforcement Technology
129:Related implementations are available in
409:
407:
403:
292:CFG operates by creating a per-process
730:"Frequently Asked Questions About RAP"
857:Winsider Seminars & Solutions Inc
7:
25:
961:Falcón, Francisco (2015-03-25).
621:Smith, Ms. (23 September 2015).
214:
144:
1101:Thomas, Sam (18 August 2016).
703:Security, heise (4 May 2016).
596:Mimoso, Michael (2015-09-22).
180:and type casts. It depends on
84:, we say there is an indirect
1:
374:Microsoft eXtended Flow Guard
1127:"Advancing Windows Security"
266:Microsoft Control Flow Guard
804:Android Open Source Project
99:return-oriented programming
1216:
392:Buffer overflow protection
283:Windows 10 Creators Update
80:is called, such as from a
26:
34:Term in computer security
469:; Kuznetsov, Volodymyr.
252:indirect branch tracking
44:) is a general term for
27:Not to be confused with
199:compiled by Clang with
1200:Control flow integrity
304:Implementation details
201:link-time optimization
182:link-time optimization
121:pointer verification.
38:Control-flow integrity
29:Common Flash Interface
18:Control flow integrity
633:on September 27, 2015
439:ACM Computing Surveys
987:"Control Flow Guard"
881:"Control Flow Guard"
825:Intel Developer Zone
682:. pp. 941–955.
937:Alex Ionescu's Blog
652:"Return Flow Guard"
258:Protection Fault).
191:Google has shipped
1024:Power of Community
525:www.prnewswire.com
501:. 10 November 2015
310:_guard_check_icall
226:. You can help by
156:. You can help by
1195:Computer security
909:Microsoft Technet
800:"ShadowCallStack"
658:. 2 November 2016
343:Bypass techniques
244:
243:
186:shadow call stack
174:
173:
76:transfer. When a
46:computer security
16:(Redirected from
1207:
1179:
1178:
1176:
1175:
1170:. 23 August 2020
1164:
1158:
1157:
1155:
1154:
1143:
1137:
1136:
1134:
1133:
1123:
1117:
1116:
1114:
1113:
1098:
1092:
1091:
1089:
1088:
1074:
1068:
1067:
1065:
1064:
1055:
1047:
1034:
1033:
1031:
1030:
1021:
1013:
1004:
1003:
1001:
1000:
991:
983:
977:
976:
974:
973:
958:
947:
946:
944:
943:
934:
926:
920:
919:
917:
916:
901:
895:
894:
892:
891:
877:
868:
867:
865:
864:
859:. 5 January 2020
849:
843:
842:
840:
839:
833:
827:. Archived from
822:
814:
808:
807:
796:
790:
789:
782:
776:
775:
764:
758:
757:
746:
740:
739:
737:
736:
726:
720:
719:
717:
716:
700:
694:
693:
673:
667:
666:
664:
663:
648:
642:
641:
639:
638:
629:. Archived from
618:
612:
611:
609:
608:
593:
587:
586:
584:
583:
566:
560:
559:
557:
556:
542:
536:
535:
533:
532:
516:
510:
509:
507:
506:
491:
485:
484:
482:
481:
463:
457:
456:
454:
430:
424:
423:
414:Payer, Mattias.
411:
311:
277:
239:
236:
218:
211:
169:
166:
148:
141:
78:function pointer
56:) of a program.
21:
1215:
1214:
1210:
1209:
1208:
1206:
1205:
1204:
1185:
1184:
1183:
1182:
1173:
1171:
1166:
1165:
1161:
1152:
1150:
1145:
1144:
1140:
1131:
1129:
1125:
1124:
1120:
1111:
1109:
1100:
1099:
1095:
1086:
1084:
1076:
1075:
1071:
1062:
1060:
1053:
1049:
1048:
1037:
1028:
1026:
1019:
1015:
1014:
1007:
998:
996:
989:
985:
984:
980:
971:
969:
960:
959:
950:
941:
939:
932:
928:
927:
923:
914:
912:
903:
902:
898:
889:
887:
879:
878:
871:
862:
860:
851:
850:
846:
837:
835:
831:
820:
816:
815:
811:
798:
797:
793:
784:
783:
779:
766:
765:
761:
748:
747:
743:
734:
732:
728:
727:
723:
714:
712:
702:
701:
697:
690:
675:
674:
670:
661:
659:
650:
649:
645:
636:
634:
620:
619:
615:
606:
604:
595:
594:
590:
581:
579:
569:Pauli, Darren.
568:
567:
563:
554:
552:
544:
543:
539:
530:
528:
527:(Press release)
518:
517:
513:
504:
502:
493:
492:
488:
479:
477:
465:
464:
460:
452:10.1145/3054924
432:
431:
427:
413:
412:
405:
400:
388:
376:
345:
309:
306:
275:
268:
240:
234:
231:
224:needs expansion
209:
170:
164:
161:
154:needs expansion
139:
127:
125:Implementations
107:
62:
35:
32:
23:
22:
15:
12:
11:
5:
1213:
1211:
1203:
1202:
1197:
1187:
1186:
1181:
1180:
1159:
1138:
1118:
1093:
1069:
1035:
1005:
978:
948:
921:
911:. 16 June 2017
896:
869:
844:
809:
791:
777:
772:clang.llvm.org
759:
754:clang.llvm.org
741:
721:
695:
688:
668:
643:
613:
588:
561:
550:clang.llvm.org
537:
511:
486:
467:Payer, Mathias
458:
425:
402:
401:
399:
396:
395:
394:
387:
384:
375:
372:
371:
370:
367:
364:
361:
358:
355:
352:
344:
341:
340:
339:
338:
337:
334:
328:
327:
326:
323:
320:
305:
302:
298:use-after-free
267:
264:
242:
241:
221:
219:
208:
205:
178:virtual tables
172:
171:
165:September 2020
151:
149:
138:
135:
126:
123:
111:stack canaries
106:
103:
61:
58:
33:
24:
14:
13:
10:
9:
6:
4:
3:
2:
1212:
1201:
1198:
1196:
1193:
1192:
1190:
1169:
1163:
1160:
1149:. 18 May 2021
1148:
1142:
1139:
1128:
1122:
1119:
1108:
1104:
1097:
1094:
1083:
1079:
1073:
1070:
1059:
1052:
1046:
1044:
1042:
1040:
1036:
1025:
1018:
1012:
1010:
1006:
995:
988:
982:
979:
968:
967:Core Security
964:
957:
955:
953:
949:
938:
931:
925:
922:
910:
906:
900:
897:
886:
882:
876:
874:
870:
858:
854:
848:
845:
834:on 2017-08-14
830:
826:
819:
813:
810:
805:
801:
795:
792:
787:
781:
778:
773:
769:
763:
760:
755:
751:
745:
742:
731:
725:
722:
710:
706:
699:
696:
691:
689:9781931971157
685:
681:
680:
672:
669:
657:
653:
647:
644:
632:
628:
627:Network World
624:
617:
614:
603:
599:
592:
589:
578:
577:
572:
565:
562:
551:
547:
541:
538:
526:
522:
515:
512:
500:
496:
490:
487:
476:
475:nebelwelt.net
472:
468:
462:
459:
453:
448:
444:
440:
436:
429:
426:
421:
420:nebelwelt.net
417:
410:
408:
404:
397:
393:
390:
389:
385:
383:
379:
373:
368:
365:
362:
359:
356:
353:
350:
349:
348:
342:
335:
332:
331:
329:
324:
321:
318:
317:
315:
314:
313:
303:
301:
299:
295:
290:
288:
284:
279:
273:
265:
263:
259:
255:
253:
249:
238:
229:
225:
222:This section
220:
217:
213:
212:
206:
204:
202:
198:
194:
189:
187:
183:
179:
168:
159:
155:
152:This section
150:
147:
143:
142:
136:
134:
132:
124:
122:
120:
116:
115:shadow stacks
112:
104:
102:
100:
95:
89:
87:
83:
82:virtual table
79:
75:
74:backward-edge
71:
67:
59:
57:
55:
51:
47:
43:
39:
30:
19:
1172:. Retrieved
1162:
1151:. Retrieved
1141:
1130:. Retrieved
1121:
1110:. Retrieved
1106:
1096:
1085:. Retrieved
1081:
1072:
1061:. Retrieved
1057:
1027:. Retrieved
1023:
997:. Retrieved
993:
981:
970:. Retrieved
966:
940:. Retrieved
936:
924:
913:. Retrieved
908:
899:
888:. Retrieved
884:
861:. Retrieved
856:
847:
836:. Retrieved
829:the original
824:
812:
803:
794:
780:
771:
762:
753:
744:
733:. Retrieved
724:
713:. Retrieved
708:
698:
678:
671:
660:. Retrieved
655:
646:
635:. Retrieved
631:the original
626:
616:
605:. Retrieved
601:
591:
580:. Retrieved
576:The Register
574:
564:
553:. Retrieved
549:
540:
529:. Retrieved
524:
514:
503:. Retrieved
499:Dark Reading
498:
489:
478:. Retrieved
474:
461:
442:
438:
428:
419:
380:
377:
346:
307:
291:
280:
269:
260:
256:
248:shadow stack
245:
235:January 2021
232:
228:adding to it
223:
197:Linux kernel
190:
175:
162:
158:adding to it
153:
128:
108:
90:
86:forward-edge
85:
73:
69:
65:
63:
54:control flow
41:
37:
36:
994:Trend Micro
711:(in German)
445:(1): 1–33.
272:Windows 8.1
1189:Categories
1174:2021-05-19
1153:2021-05-19
1132:2021-05-19
1112:2017-01-19
1107:Slideshare
1087:2017-01-19
1063:2017-01-19
1029:2017-01-19
999:2017-01-19
972:2017-01-19
942:2017-07-07
915:2017-06-20
890:2017-01-19
863:2021-01-05
838:2021-01-05
735:2016-06-01
715:2016-06-01
662:2017-01-19
637:2016-06-01
607:2016-06-01
582:2016-06-01
555:2016-06-01
531:2016-06-01
505:2016-06-01
480:2016-06-01
398:References
137:LLVM/Clang
105:Techniques
88:transfer.
60:Background
519:Endgame.
276:/guard:cf
250:(SS) and
195:with the
1058:BlackHat
709:Security
386:See also
70:indirect
1082:Bromium
656:Tencent
287:Hyper-V
254:(IBT).
193:Android
50:malware
686:
294:bitmap
281:As of
119:vtable
117:, and
66:direct
1054:(PDF)
1020:(PDF)
990:(PDF)
933:(PDF)
832:(PDF)
821:(PDF)
131:Clang
885:MSDN
684:ISBN
447:doi
230:.
160:.
94:W^X
42:CFI
1191::
1105:.
1080:.
1056:.
1038:^
1022:.
1008:^
992:.
965:.
951:^
935:.
907:.
883:.
872:^
855:.
823:.
802:.
770:.
752:.
707:.
654:.
625:.
600:.
573:.
548:.
523:.
497:.
473:.
443:50
441:.
437:.
418:.
406:^
113:,
1177:.
1156:.
1135:.
1115:.
1090:.
1066:.
1032:.
1002:.
975:.
945:.
918:.
893:.
866:.
841:.
806:.
788:.
774:.
756:.
738:.
718:.
692:.
665:.
640:.
610:.
585:.
558:.
534:.
508:.
483:.
455:.
449::
422:.
237:)
233:(
167:)
163:(
97:(
40:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.