Windows Control Flow Guard support added to Rust, Clang compilers

Posted by & filed under Security News.

Microsoft today said that it worked with the LLVM and Rust development teams to add support for the Windows Control Flow Guard (CFG) platform security feature into the Clang and rustc compilers.

CFG is designed to block malicious code from changing the default control flaw of Windows programs, it extends other exploitation mitigation tech like /GS (Buffer Security Check)Data Execution Prevention (DEP), and Address Space Layout Randomization (ASLR), and it makes it more difficult to run arbitrary code by exploiting memory bugs such as buffer overflows.

CFG was first released with the Windows 8.1 KB3000850 update in November 2014 and is available today on all Windows 10 devices, with the Windows kernel now compiled with CFG support since Windows 10 Creators Update (Windows 10, version 1703).

Support added to latest Clang and rustc versions

Adding CFG support for the rustc Rust compiler and the Clang 10.0 C/C++ compiler allows developers to compile Windows application source code developed in C/C++ code with CFG support without using Microsoft Visual C++ as Microsoft Security Response Center senior researcher Andrew Paverd explained.

“LLVM 10.0 now supports CFG. Our implementation of CFG is fully contained within the core libraries, making it reusable by any compiler built on LLVM – the frontend compiler simply needs to set the correct flags,” Paverd added.

“CFG is available in Rust 1.47 (currently the nightly version). To enable CFG, simply add the -C control-flow-guard flag.”

As a direct result of this update, Windows builds of the Google Chrome and Microsoft Edge web browsers will also soon come with CFG support since the Chromium codebase is compiled with Clang.

“Working with the LLVM and Rust open-source communities has been a very positive experience,” Paverd said.

“We particularly thank those members of the communities who contributed to this work through design suggestions, code reviews, and other advice.”

Control-flow hijacking protection efforts

Microsoft also worked with Intel and other industry partners as part of an effort to mitigate control-flow hijacking attacks which led to the development of the Intel CET (tech spec available here) CPU-level security capability.

Support for Intel CET is also included in the latest Windows 10 builds and is known as Hardware-enforced Stack Protection, and it adds two new key capabilities to help guard against control-flow hijacking malware: Shadow Stack (SS) and Indirect Branch Tracking (IBT).

IBT and SS are designed to protect against jump/call oriented programming (JOP and COP) and return-oriented programming (ROP) attacks, respectively.

At the moment, Microsoft is also testing a new Windows 10 security feature known as Kernel Data Protection (KDP) which blocks malicious actors from corrupting drivers and software running in the Windows kernel.

Two months ago, Redmond announced that Microsoft Defender Advanced Threat Protection (ATP) can also now detect and protect customers from Unified Extensible Firmware Interface (UEFI) malware with the help of a new UEFI scanner.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.