Control Flow Guard (CFG) is a platform security feature available in Windows that was created to combat memory corruption vulnerabilities. CFG restricts where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. Now, a group of researchers from the University of Padua, in Italy have found a way to bypass Control Flow Guard. According to the researchers, they took advantage of a design flaw in CFG to call portions of code that should not be allowed by CFG.
“The [control flow] restriction is precise only when the allowed targets are aligned to 16 bytes,” Biondo says. “If they are not, then there is a 16-byte imprecision around the target” that attackers can take advantage of to bypass CFG, he notes.
The researchers have named this exploit as the Back to the Epilogue (BATE) attack. Microsoft is aware of this security issue and the fix will be released as part of upcoming Windows 10 RS4 release.
Learn more about this issue here.