6

To quote from MSDN:

Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows.

We strongly encourage developers to enable CFG for their applications. You don't have to enable CFG for every part of your code, as a mixture of CFG enabled and non-CFG enabled code will execute fine. But failing to enable CFG for all code can open gaps in the protection. Furthermore, CFG enabled code works fine on "CFG-Unaware" versions of Windows and is therefore fully compatible with them.

So when would I not enable it?

Or in other words, what do I have to check about my code before I enable it and what are the risks?

Community
  • 1
  • 1
Ian Ringrose
  • 51,220
  • 55
  • 213
  • 317

1 Answers1

1

Looks like it makes program to run slower. They do not say by how much, though. Plain language of the article suggests that all indirect calls are now going through kernel? If it is true, this is truly disastrous.

SergeyA
  • 61,605
  • 5
  • 78
  • 137
  • 1
    Here is a good article with more details: [Exploring Control Flow Guard in Windows 10, Jack Tang, Trend Micro Threat Solution Team](http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf) – paulsm4 May 09 '17 at 15:56
  • I worked out that much, but decided that other people must be asking the same question and a great answer with a checklist etc could get **many** votes. As there is nothing in the first few hits on google that lists the negatives in a clear way. – Ian Ringrose May 09 '17 at 16:04
  • I don't think the indirect calls goes anywhere near the kernel address space, just a windows lib running in the user address space checking them. But as the kernel can move functions about when a process starts, it has take park in the system. – Ian Ringrose May 09 '17 at 16:06