Microsoft’s Control Flow Guard (CFG) is an in-built security feature for Windows that prevents memory attacks. However, at Black Hat Asia, a team of researchers will demo a technique for escaping Control Flow Guard.
The feature is supposed to stop hacks from exploiting memory corruption errors. It has been in Windows since version 8.1 and is in Windows 10. It is similar to another Microsoft security tool called Address Space Randomization Layer (ASLR) which is also designed to prevent memory corruption exploits.
At the upcoming Black Hat Asia, held in Singapore this month, a team out of the University of Padua in Italy will show how they exploited CFG. Researchers say they bypassed the feature because of a major flaw in its system.
Ahead of the event, the team has published a technical paper showing how the exploit works. CFG is supposed to stop attacks from changing the flow of a program towards their own malware code. This is achieved by making sure the flow of executed functions follows a specific paths. This stops indirect calls.
Andrea Biondo, a computer science researcher at Padua says “an attacker can’t just hijack execution to arbitrary locations.” However, there is a problem with CFG because of compromises Microsoft made to achieve backward compatibility. A design flaw could allow attacks to be coordinated and combined to beat CFG restrictions.
“The [control flow] restriction is precise only when the allowed targets are aligned to 16 bytes,” Biondo says. “If they are not, then there is a 16-byte imprecision around the target” that attackers can exploit, he adds.
The researchers found exploitable gadgets in code within Windows system libraries from most 32-bit applications and 64-bit Windows browsers. “By combining the presence of unaligned targets in common libraries with the predictability of the layout of functions generated by the compiler, we can bypass CFG,” Biondi says.
Dubbed the Back to the Epilogue (BATE) exploit, the attack code will be demoed on Windows 10 through the Microsoft Edge browser.
“To the best of our knowledge, Microsoft is going to fix this in the RS4 Windows update,” Biondo concludes.