Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets

Attackers use memory corruption vulnerabilities to compromise systems by hijacking control flow towards attacker-controlled code. Over time, researchers proposed several countermeasures, such as Address Space Layout Randomization, Write XOR Execute and Control Flow Integrity (CFI). CFI is one of the most promising solutions, enforcing control flow to adhere to statically determined valid execution paths. To trade with the execution and storage overhead, practical CFI implementations enforce coarser version of CFI. One of the most widely deployed implementations of CFI is the one proposed by Microsoft, named Control Flow Guard (CFG). CFG is currently in place on all Windows operating systems, from Windows 8.1 to the most recent update of Windows 10 (at the time of writing), accounting for more than 500 million machines. In this paper, we show a significant design vulnerability in Windows CFG and propose a specific attack to exploit it: the Back to The Epilogue (BATE) attack. We show that with BATE an attacker can completely evade from CFG and transfer control to any location, thus obtaining arbitrary code execution. BATE leverages the tradeoff of CFG between precision, performance, and backwards compatibility; in particular, the latter one motivates 16-byte address granularity in some circumstances. This vulnerability, inherent to the CFG design, allows us to call portions of code (gadgets) that should not be allowed, and that we can chain together to escape CFG. These gadgets are very common: we ran a thorough evaluation of Windows system libraries, and found many high value targets -exploitable gadgets in code loaded by almost all the applications on 32-bit systems and by web browsers on 64-bit. We also demonstrate the real-world feasibility of our attack by using it to build a remote code execution exploit against the Microsoft Edge web browser running on 64-bit Windows 10. Finally, we discuss possible countermeasures to BATE.