Microsoft’s Control Flow Guard comes to Rust and LLVM compilers

Two popular code compilers have received support this month to natively support Control Flow Guard (CFG), a powerful Windows security feature.

The two compilers are Clang (part of the larger LLVM umbrella compiler project) and rustc (the default compiler for the Rust programming language).

Going forward, Clang and rustc will be able to compile C and C++ source code into Windows binaries that natively take advantage of Windows CFG.

What is CFG?

CFG is a powerful security feature that Microsoft first added in Windows 8.1. The feature can secure the execution flow of an application’s code to prevent malicious code (such as the result of memory bugs) from hijacking the native “control flow” and make the app take unwanted actions.

Until now, if a developer wanted their Windows application to tap into the Windows OS CFG protection, they needed to compile their C or C++ code using Microsoft Visual C++, the only popular code compiler that supported CFG.

However, in a blog post today, Microsoft said it worked with the LLVM and Rust teams to add CFG support to their respective compilers.

Starting with Clang 10.0 and Rust 1.47 (the current Nightly build), the two compilers can now also compile C/C++ projects into Windows apps that tap into the CFG feature to safeguard control flows from unauthorized tampering/exploitation attempts.

CFG protections coming to Chrome and Edge

The main drive for expanding CFG support to LLVM/Clang is, ironically, Chromium — the open-source browser at the base of Google Chrome —, which is compiled using Clang.

First, Chromium is the base of the recently revamped Edge browser, and Microsoft will most likely want to enable CFG protections for the new Edge version, similar to all of its native apps.

Second, Chrome accounts for a huge 60% browser market share, and despite being a competitor, Chrome with CFG enabled is good news for everyone, including Microsoft and its userbase. Fewer successful attacks on Chrome also means fewer attack escalations to the underlying OS. So, protecting Chrome also yields indirect benefits for Microsoft as well.

On the other hand, expanding CFG support to Rust was a no-brainer as well, since Microsoft has made it official last summer that it would explore rewriting some Windows and Azure components with Rust; components for which the company would most likely want to have CFG enabled when they ship to production.

“Working with the LLVM and Rust open-source communities has been a very positive experience. We particularly thank those members of the communities who contributed to this work through design suggestions, code reviews, and other advice,” said Andrew Paverd, Senior Researcher at the Microsoft Security Response Center and Microsoft Research.

Expanding compiler support for CFG is only one of the many security features Microsoft is currently working on. Other new security features coming to Windows also include Hardware-enforced Stack Protection and Kernel Data Protection.

READ MORE HERE