Liberation Guard – CFG Enhancement

In my search of Bug Bounty programs, I found Microsoft’s page and started to learn about CFG – Microsoft’s CFI implementation. From this research I developed “Liberation Guard”, a security enhancement to CFG that aims to block virtual table hijacking exploits.

Full technical article

Here is the full article as it was sent to Microsoft: Liberation Guard – article.

More Background

Microsoft’s Control-Flow-Guard (CFG) is probably the simplest control flow integrity that can be developed. This protection scheme gives only a single CFI protection bit for indirect calls:

  • 0 – Not the start of a function – indirect call is prohibited
  • 1 – The start of a function – indirect call is allowed

Despite this coarse-grained CFI, Microsoft implemented several elegant solutions to enable the compression of their huge CFI bitmap.

Since popular high-profile programs often use C++ design, they heavily rely on virtual calls. And so, the basic motivation for my research was to enhance CFG, so it will be enable to enforce yet another CFI bit:

  • 0 – Not a virtual method – indirect virtual call is prohibited
  • 1 – The start of a virtual method – indirect virtual call is allowed

Conclusion

It seems that Microsoft are now more security-oriented, and the latest releases of Windows versions comes with new security mechanisms. It is notable that Microsoft acknowledge the fact that security researchers can help in improving their techniques, and it seems that their bug bounty programs are a simple win-win situation. Future releases of windows 10 seems even more promising, with the entrance of the new RFG mechanism, and it looks like white hats and black hats will have plenty of new security techniques to improve and/or bypass.

Advertisements

Author: eyalitkin

White hat security researcher. Recently finished my M.s.c at TAU, and now focus on security research, mainly in open sources.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s