Microsoft today said that it worked with the LLVM and Rust development teams to add support for the Windows Control Flow Guard (CFG) platform security feature into the Clang and rustc compilers.
CFG is designed to block malicious code from changing the default control flaw of Windows programs, it extends other exploitation mitigation tech like /GS (Buffer Security Check), Data Execution Prevention (DEP), and Address Space Layout Randomization (ASLR), and it makes it more difficult to run arbitrary code by exploiting memory bugs such as buffer overflows.
CFG was first released with the Windows 8.1 KB3000850 update in November 2014 and is available today on all Windows 10 devices, with the Windows kernel now compiled with CFG support since Windows 10 Creators Update (Windows 10, version 1703).
Support added to latest Clang and rustc versions
Adding CFG support for the rustc Rust compiler and the Clang 10.0 C/C++ compiler allows developers to compile Windows application source code developed in C/C++ code with CFG support without using Microsoft Visual C++ as Microsoft Security Response Center senior researcher Andrew Paverd explained.
“LLVM 10.0 now supports CFG. Our implementation of CFG is fully contained within the core libraries, making it reusable by any compiler built on LLVM – the frontend compiler simply needs to set the correct flags,” Paverd added.
“CFG is available in Rust 1.47 (currently the nightly version). To enable CFG, simply add the -C control-flow-guard flag.”
As a direct result of this update, Windows builds of the Google Chrome and Microsoft Edge web browsers will also soon come with CFG support since the Chromium codebase is compiled with Clang.
“Working with the LLVM and Rust open-source communities has been a very positive experience,” Paverd said.
“We particularly thank those members of the communities who contributed to this work through design suggestions, code reviews, and other advice.”
Control-flow hijacking protection efforts
Microsoft also worked with Intel and other industry partners as part of an effort to mitigate control-flow hijacking attacks which led to the development of the Intel CET (tech spec available here) CPU-level security capability.
Support for Intel CET is also included in the latest Windows 10 builds and is known as Hardware-enforced Stack Protection, and it adds two new key capabilities to help guard against control-flow hijacking malware: Shadow Stack (SS) and Indirect Branch Tracking (IBT).
IBT and SS are designed to protect against jump/call oriented programming (JOP and COP) and return-oriented programming (ROP) attacks, respectively.
At the moment, Microsoft is also testing a new Windows 10 security feature known as Kernel Data Protection (KDP) which blocks malicious actors from corrupting drivers and software running in the Windows kernel.
Two months ago, Redmond announced that Microsoft Defender Advanced Threat Protection (ATP) can also now detect and protect customers from Unified Extensible Firmware Interface (UEFI) malware with the help of a new UEFI scanner.