HomeWinBuzzer NewsWindows Control Flow Guard Security Feature Can be Exploited Confirm Researchers

Windows Control Flow Guard Security Feature Can be Exploited Confirm Researchers

A team out of Italy’s University of Padua says Control Flow Guard in Windows 10 and 8.1 can be exploited to allow attackers to bypass its features and install malicious code.


's Control Flow Guard (CFG) is an in-built security feature for Windows that prevents memory attacks. However, at Black Hat Asia, a team of researchers will demo a technique for escaping Control Flow Guard.

The feature is supposed to stop hacks from exploiting memory corruption errors. It has been in Windows since version 8.1 and is in . It is similar to another Microsoft security tool called Address Space Randomization Layer (ASLR) which is also designed to prevent memory corruption exploits.

At the upcoming Black Hat Asia, held in Singapore this month, a team out of the University of Padua in Italy will show how they exploited CFG. Researchers say they bypassed the feature because of a major flaw in its system.

Ahead of the event, the team has published a technical paper showing how the exploit works. CFG is supposed to stop attacks from changing the flow of a program towards their own malware code. This is achieved by making sure the flow of executed functions follows a specific paths. This stops indirect calls.

Andrea Biondo, a computer science researcher at Padua says “an attacker can't just hijack execution to arbitrary locations.” However, there is a problem with CFG because of compromises Microsoft made to achieve backward compatibility. A design flaw could allow attacks to be coordinated and combined to beat CFG restrictions.

“The [control flow] restriction is precise only when the allowed targets are aligned to 16 bytes,” Biondo says. “If they are not, then there is a 16-byte imprecision around the target” that attackers can exploit, he adds.

Exploiting CFG

The researchers found exploitable gadgets in code within Windows system libraries from most 32-bit applications and 64-bit Windows browsers. “By combining the presence of unaligned targets in common libraries with the predictability of the layout of functions generated by the compiler, we can bypass CFG,” Biondi says.

Dubbed the Back to the Epilogue (BATE) exploit, the attack code will be demoed on Windows 10 through the browser.

“To the best of our knowledge, Microsoft is going to fix this in the RS4 Windows update,” Biondo concludes.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News