Control Flow Guard (CFG) is used to help protect against memory corruption vulnerabilities in .NET software. We can implement Control Flow Guard in Visual Studio 2015 to help protect against these problems in Windows.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Implement Control Flow Guard (CFG)
The control flow guard feature was added to Microsoft’s Visual Studio 2015 and works with both 32-bit and 64-bit versions of the Windows operating system that are control flow guard aware, which are Windows 8.1 or newer on the client side and Windows Server 2012 R2 or newer on the server side. Code that has been compiled with CFG enabled will still run just fine on older versions of Windows, so this isn’t a reason not to enable it.
CFG is a security feature which extends DEP and ASLR, and helps protect against memory corruption vulnerabilities by enforcing restrictions on where an application can execute code from. In doing so, bugs such as buffer overflows are more difficult for an attacker to exploit.
Usually to enable control flow guard you don’t have to make any changes to your code, it’s as simple as enabling an option in your Visual Studio 2015 project. To enable CFG, select Project > Properties > Configuration Properties > C/C++ > Code Generation, and set Control Flow Guard to “Yes”.
For an in depth look at control flow guard I suggest checking out “Exploring Control Flow Guard in Windows 10” by Trend Micro, which I found to be quite an interesting read.
Summary
We can implement control flow guard by telling the compiler and linker to use it as part of our Visual Studio 2015 project. When you implement control flow guard you help protect your program from memory corruption vulnerabilities.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
0 Comments.