Liberation Guard – CFG Enhancement

In my search of Bug Bounty programs, I found Microsoft’s page and started to learn about CFG – Microsoft’s CFI implementation. From this research I developed “Liberation Guard”, a security enhancement to CFG that aims to block virtual table hijacking exploits.

Full technical article

Here is the full article as it was sent to Microsoft: Liberation Guard – article.

More Background

Microsoft’s Control-Flow-Guard (CFG) is probably the simplest control flow integrity that can be developed. This protection scheme gives only a single CFI protection bit for indirect calls:

  • 0 – Not the start of a function – indirect call is prohibited
  • 1 – The start of a function – indirect call is allowed

Despite this coarse-grained CFI, Microsoft implemented several elegant solutions to enable the compression of their huge CFI bitmap.

Since popular high-profile programs often use C++ design, they heavily rely on virtual calls. And so, the basic motivation for my research was to enhance CFG, so it will be enable to enforce yet another CFI bit:

  • 0 – Not a virtual method – indirect virtual call is prohibited
  • 1 – The start of a virtual method – indirect virtual call is allowed


It seems that Microsoft are now more security-oriented, and the latest releases of Windows versions comes with new security mechanisms. It is notable that Microsoft acknowledge the fact that security researchers can help in improving their techniques, and it seems that their bug bounty programs are a simple win-win situation. Future releases of windows 10 seems even more promising, with the entrance of the new RFG mechanism, and it looks like white hats and black hats will have plenty of new security techniques to improve and/or bypass.

Author: eyalitkin

White hat security researcher. Recently finished my M.s.c at TAU, and now focus on security research, mainly in open sources.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: