Back to Home

Microsoft can integrate CFG into the Windows kernel / ESET NOD32 Blog

windows 10 · security

Microsoft can integrate CFG into the Windows kernel

    We have repeatedly praised Microsoft in those posts on our corporate blog that focused on the new security features of Windows 10 & 8.1. Windows 10 is constantly acquiring new security features to counter the exploitation of both RCE and LPE vulnerabilities. These functions are available to applications through the kernel32! SetProcessMitigationPolicy API . In our pastIn this post, we talked about the upgraded Kernel ASLR function, which began to extend not only to downloadable kernel mode images, but also to critical data structures such as work set list (WSL), directory and page tables, PFN database, hyperspace, etc. This function was received by all users of the big anniversary update for Windows 10. We also dwell in more detail on the Linux subsystem in Windows 10. This time we will talk about the possible implementation of the Control Flow Guard (CFG) protective measure in kernel mode.

    The famous Windows 10 internal device guru Alex Ionescu said on his Twitter that the new Windows 10 Insider Preview build contains a kernel with the ntoskrnl! MiInitializeKernelCfg internal function. The name of the function indicates a possible implementation of CFG in kernel mode. True, so far, no other evidence of this hypothesis has been presented.

    Many system executables on Windows 8.1 & 10 are provided with a protective CFG measure. For example, system processes such as Svchost, Services, Winlogon, Explorer are equipped with CFG support. CFG itself requires support from both the bootloader of Windows executable images and the executable file. The latter has a separate directory for the CFG data in the PE header.


    Fig. Service Manager on Windows 8.1+ has built-in CFG support.

    If it is really about implementing CFG in kernel mode, system drivers with CFG support may appear in newer Windows builds. The new security feature will help Windows deal with LPE exploits that can use various exploitation methods to intercept code control from a working driver.

    Read Next