Microsoft can integrate CFG into the Windows kernel

We have repeatedly praised Microsoft in those corporate blog posts that were devoted to the new security features of Windows 10 & 8.1. Windows 10 constantly acquires new security features to counter the exploitation of both RCE and LPE vulnerabilities. These functions are available to applications through the kernel32! SetProcessMitigationPolicy API . In our last post, we talked about the upgraded Kernel ASLR function, which began to extend not only to the loaded kernel-mode images, but also to such critical data structures as the working set list (WSL), directory and page tables, PFN database, hyperspace, and more This function was received by all users of the large jubilee update for Windows 10. We also dwelt on the Linux subsystem in Windows 10 in more detail. This time we will talk about the possible implementation of the Control Flow Guard (CFG) protection measure in kernel mode.

A well-known Windows 10 internal device guru, Alex Ionescu, mentioned in his twitter that the new Windows 10 Insider Preview build contains a kernel with the ntoskrnl internal function ! MiInitializeKernelCfg . The name of the function indicates a possible implementation of CFG in kernel mode. True, so far, no other evidence of this hypothesis is presented.

The CFG security measure is provided with many system executable files on Windows 8.1 & 10. For example, system processes such as Svchost, Services, Winlogon, Explorer are equipped with CFG support. CFG itself requires support from both the Windows executable image loader and the executable file. The latter has a separate directory for the CFG data in the PE header.
')

Fig. The service manager on Windows 8.1+ has built-in support for CFG.

If it’s really about implementing CFG in kernel mode, CFG-enabled system drivers may appear in new Windows builds. A new security feature will help Windows cope with LPE exploits that can use various operating methods to intercept control code from a working driver.