In my search of Bug Bounty programs, I found Microsoft’s page and started to learn about CFG – Microsoft’s CFI implementation. From this research I developed “Liberation Guard”, a security enhancement to CFG that aims to block virtual table hijacking exploits.
Full technical article
Here is the full article as it was sent to Microsoft: Liberation Guard – article.
More Background
Microsoft’s Control-Flow-Guard (CFG) is probably the simplest control flow integrity that can be developed. This protection scheme gives only a single CFI protection bit for indirect calls:
- 0 – Not the start of a function – indirect call is prohibited
- 1 – The start of a function – indirect call is allowed
Despite this coarse-grained CFI, Microsoft implemented several elegant solutions to enable the compression of their huge CFI bitmap.
Since popular high-profile programs often use C++ design, they heavily rely on virtual calls. And so, the basic motivation for my research was to enhance CFG, so it will be enable to enforce yet another CFI bit:
- 0 – Not a virtual method – indirect virtual call is prohibited
- 1 – The start of a virtual method – indirect virtual call is allowed
Conclusion
It seems that Microsoft are now more security-oriented, and the latest releases of Windows versions comes with new security mechanisms. It is notable that Microsoft acknowledge the fact that security researchers can help in improving their techniques, and it seems that their bug bounty programs are a simple win-win situation. Future releases of windows 10 seems even more promising, with the entrance of the new RFG mechanism, and it looks like white hats and black hats will have plenty of new security techniques to improve and/or bypass.
Eyal Itkin 