Extreme Flow Guard (xFG) and Kernel Data Protection (KDP) Coming to Windows 10
Data corruption attacks aren’t new, but hackers are stepping up their efforts to exploit Windows by corrupting data in memory to escalate privileges and install malicious code. Windows already has several protections against data corruption attacks, including code integrity, Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG).
In the Windows 10 May 2020 Update and future feature updates, Microsoft is refining existing protections and it is introducing a new one to improve security defenses.
Extreme Flow Guard
Control Flow Guard, or Control Flow Integrity (CFI) as it is sometimes known, has been around in Windows for a long time. But it isn’t considered to be very effective because Microsoft made a lot of concessions to maintain performance and compatibility with older applications. CFG is designed to protect against memory corruption vulnerabilities by restricting where applications can execute code from. While CFG is less than perfect, it has been able to stop some zero-day attacks on Windows 10.
Extreme Flow Guard (xFG) is a second attempt at CFG. xFG provides finer-grained CFI that is more efficient and compatible than CFG. Microsoft says that xFG reduces possible control transfer points by 100-1000 times. And while xFG isn’t perfect, it is an ‘extreme’ improvement over CFG, hence the name, I guess.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
xFG is based on CPU technology developed by Intel called Control-Flow Enforcement Technology (CET). Or more precisely, CET Shadow Stack Flow. The new Shadow Stack Pointer (SSP) register is used to change CPU calls and return instructions that store a copy of the return address and compare it with the one held in memory. A technical specification for CET has existed since 2016 but the technology will only be made available in forthcoming Tiger Lake CPUs.
According to TechRepublic’s Mary Branscombe, support for xFG is included in the Windows 10 May 2020 Update (version 2004) but it is turned off by default because there are no devices on the market yet that are compatible with xFG. Microsoft says that xFG will be an opt-in feature to avoid compatibility issues as Tiger Lake CPUs begin to appear later in 2020. Developers will need to enable a flag on apps and DLLs to mark them as compatible with CET. All Windows code and libraries are marked as CET-compatible.
Branscombe also writes that Windows might be able to run CET in a strict mode that would apply address checks to third-party DLLs called by apps marked CET-compatible. But because the hardware isn’t yet available for real-world testing, Microsoft hasn’t decided how strict mode would be applied in practice.
Kernel Data Protection
We’ve known that Kernel Data Protection (KDP) is coming to Windows 10 since 2019, but at the beginning of July Microsoft released the first technical details. KDP is a new feature in Windows 10 that is designed to prevent data corruption attacks that criminals use to target security policy, escalate privileges, tamper with security attestation, and modify data structures. KDP protects parts of the Windows kernel and drivers with the help of virtualization-based security (VBS).
VBS lets security features, like Windows Defender Device Guard and Credential Guard, operate with integrity even if the NT kernel is compromised. Windows Defender System Guard, which was introduced in the Windows 10 Fall Creators Update (version 1709), reorganizes critical system components to protect them using a hardware-based isolation container at boot time and continues to provide protection when Windows is running.
KDP is provisioned in Windows 10 as a set of APIs that are used to mark kernel memory as read-only. Marking kernel memory as read-only can stop attacks where signed but vulnerable drivers are used to change data structures and install malicious, unsigned drivers. Microsoft says that KDP can be used by Windows to protect kernel memory, inbox components like code integrity and the runtime attestation engine, security products, and by third-party drivers like anti-cheat and digital rights management (DRM) software. Additionally, there are some other benefits according to Microsoft’s blog post:
- Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
- Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities
- Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
Static and dynamic KDP
KDP relies on Second Level Address Translation (SLAT), a hardware technology for lowering the overhead associated with virtualization. Windows 10 supports static and dynamic KDP. Static KDP lets software running in kernel mode statically protect a section of its own image from other entities running in VTL0, the normal NT kernel. Dynamic KDP helps kernel-mode software allocate and release read-only memory from a ‘secure pool’ that is managed by the secure kernel (VTL1).
Static and dynamic KDP can be used on any device that supports VBS. But VBS is turned off by default on most PCs because of the performance hit it creates. If you purchase a Secured-Core PC, then VBS is turned on by default and you will get KDP when it is released in a stable build of Windows 10. Currently, KDP is being tested in Insider preview builds.
For more information on Secured-Core PCs, check out Microsoft Secured-Core PCs to Protect Financial Services, Government, and Healthcare on Petri.
Microsoft is working on bringing VBS to everyone and enabling it by default. The plan is to reduce the performance and power impact of running a hypervisor on typical consumer hardware. VBS will bring the added benefit of enabling seamless integration of other features that rely on Hyper-V, like Windows Defender Application Guard, Windows Sandbox, Windows Subsystem for Linux 2, and more.
For more details on how Microsoft is improving VBS performance, see Windows 10 Virtualization-Based Security On By Default in Future Updates on Petri.