A web browser team has found a major performance discrepancy in Chromium on Windows 10 compared to Windows 7. The Vivaldi browser team reached out to Google's Chromium team and the company confirmed the issue. It seems the problem was caused by the Control Flow Guard in Microsoft's platform.
Control Flow Guard is a feature of Windows Defender that was introduced with Windows 8.1 and extended to Windows 10. Importantly, it is not available for Windows 7, hence the performance gap in Chromium.
Vivaldi run Chromium unit tests on Windows 7 and found they were running faster than on the much newer Windows 10.
After being informed of the problem, Google run its own internal tests. Bruce Dawson, a Google engineer, found that Control Flow Guard is the problem. In fact, he said “CFG strikes again”, suggesting Google has experienced difficulties working with the security measure before.
Google has now disabled the tool in their tests and sent the information to Microsoft. In response, the Windows Kernel Team confirmed the problem and said a fix will be sent out within the next few weeks. We guess that means when the May Patch Tuesday rolls around.
CreateProcess had O(n^2) performance for CFG data. Now it doesn't.
Timeline of this Windows performance bug:
April 15: Initial private report
April 21: Isolated repro and blog post
April 23: Fix built (flighting in a few weeks)https://t.co/PLsWMqeier
— Bruce Dawson (Antifa) (@BruceDawson0xB) April 24, 2019
End User Problems
Dawson published a blog post to accompany his findings, and said the problem may not be overly noticeable on Chrome. That's because “there is no sign this affects Chrome itself because only large .exe files are affected”.
However, Yngve Petterson, the Vivaldi engineer who found the CFG flaw says browsers like Chrome and Vivaldi may be affected.
“It could be the issue that affects normal browser usage too, since both Chrome and Vivaldi start new processes for each tab, but as much of actual code is located in DLLs shared among the processes, and Windows CFG is reused for DLLs, it might not be noticeable in normal use”
Either way, it is possible to disable Control Flow Guard in Windows 10 via this path:
- Click on Start
- Search for defender, open Windows Security
- Select “App & browser Control”,
- Choose “Exploit Protection Settings”,
- Select “Control Flow Guard” and choose “Off by default”.