Control Flow Guard (CFG) was first released for Windows 8.1 Update 3 (KB3000850) in November 2014. Developers can add CFG to their programs by adding the /guard:cf linker flag before program linking in Visual Studio 2015 or newer.
As of Windows 10 Creators Update (Windows 10 version 1703), the Windows kernel is compiled with CFG.The Windows kernel uses Hyper-V to prevent malicious kernel code from overwriting the CFG bitmap.
CFG operates by creating a per-process bitmap, where a set bit indicates that the address is a valid destination. Before performing each indirect function call, the application checks if the destination address is in the bitmap. If the destination address is not in the bitmap, the program terminates.This makes it more difficult for an attacker to exploit a use-after-free by replacing an object's contents and then using an indirect function call to execute a payload.
Windows CFG是Control-Flow Integrity(CFI)的具体实现，该机制由Windows 8.1 Update 3 (KB3000850)开始引入，需编译器和操作系统相结合，目的在于防止不可靠间接调用。漏洞利用常常通过修改间接调用地址以劫持执行流，而CFG会于编译链接期间将程序所有间接调用地址记录在PE文件中，并在执行所有间接调用前增加校验，若间接调用地址被修改，则抛出异常。