Microsoft Control Flow Guard (CFG) is the Control Flow Integrity mechanism currently in place on all Windows operating systems, from Windows 8.1 to the most recent update of Windows 10, protecting more than 500 million machines.
We built an attack against Windows CFG that completely evades integrity checks and transfers control to any location, thus obtaining arbitrary code execution. We leverage a significant design tradeoff of CFG between precision, performance, and backwards compatibility; in particular, the latter one motivates 16-byte address granularity in some circumstances. This vulnerability, inherent to the CFG design, allows us to call gadgets that should not be allowed, and that we chain together to escape CFG.
These gadgets are more common that one would expect: we ran a thorough evaluation of Windows system libraries, and found many high value targets – exploitable gadgets in code loaded by almost all the applications on 32-bit systems and by high value targets (such as Edge and Internet Explorer) on 64-bit. Every application that loads these gadgets is exposed to our attack, which proves to be universal enough to be very practical.
In this talk, we will present how we noticed this design vulnerability, how we built our attack on top of it, and its prospected impact. On top of that, we show its real-world feasibility by using it as part of a remote code execution exploit against the Microsoft Edge web browser running on 64-bit Windows 10. All thanks to less than 16 bytes.