Never Let Your Guard Down - Finding Unguarded Gates to Bypass Control Flow Guard with Big Data

Explore the intricacies of bypassing Control Flow Guard (CFG) in this 37-minute Black Hat conference talk. Delve into the security mechanism designed to prevent indirect branches from redirecting control flow to unexpected locations. Learn about the implementation of CFG in Windows 10 and its functioning through control-flow check-functions. Discover the research approach using Performance Monitoring Unit (PMU) and Windows API to identify unguarded gates. Examine attack surfaces, including indirect jumps and temporary code buffers. Analyze results focusing on Windows Storage Library, IE LQR Library, and IE Data Segment. Understand the implications of writable function pointers and Microsoft's response to reported vulnerabilities. Gain insights into future work and current developments in this critical area of cybersecurity.

Introduction
Agenda
Safety Implementation Overview
Operating System
Safety Bypass
Previous Research
Attack Surfaces
Indirect Jump
Temporary Code Buffer
Research Work
Research Focus
Function Pointer
Research Approach
PMU
Windows API
Example
Data Collection
Data Collection Example
Process Processing Pipeline
Analysis Results
Windows Storage Library
IE LQR Library
IE Data Segment
Microsoft Catch Flag
More Interest
Writable Function Pointer
Report to Microsoft
Microsoft fix
Future work
Current work
References