├── LICENSE
├── README.md
├── android_mitigations.md
├── arm_mitigations.md
├── chrome_mitigations.md
├── dotnet_mitigations.md
├── edge_mitigations.md
├── firefox_mitigations.md
├── freebsd_mitigations.md
├── glibc_mitigations.md
├── img
    └── example.png
├── iphone_mitigations.md
├── linux_mitigations.md
├── office_mitigations.md
├── openbsd_mitigations.md
├── solaris_mitigations.md
└── windows_mitigations.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2023 NCC Group
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Exploitation Mitigations
 2 | 
 3 | The goal is to list exploitation mitigations added over time in various operating systems, software, libraries or hardware. 
 4 | It becomes handy to know if a given vulnerability is easily exploitable or not depending on exploitation mitigations in place.
 5 | 
 6 | An example is the following:
 7 | 
 8 | ![](img/example.png)
 9 | 
10 | -------------------------------------------------------------------------------
11 | # Table of contents
12 | 
13 | * [Supported targets](#supported-targets)
14 | * [Motivations](#motivations)
15 | * [Does my current environment have mitigation X?](#does-my-current-environment-have-mitigation-x)
16 | * [Final words](#final-words)
17 | -------------------------------------------------------------------------------
18 | 
19 | # Supported targets
20 | 
21 | We currently support the following operating systems:
22 | 
23 | * [Microsoft Windows](windows_mitigations.md)
24 | * [Linux](linux_mitigations.md)
25 | * [Google Android](android_mitigations.md)
26 | * [Apple iPhone OS (iOS)](iphone_mitigations.md)
27 | * [OpenBSD](openbsd_mitigations.md)
28 | * [FreeBSD](freebsd_mitigations.md)
29 | * [Oracle Solaris](solaris_mitigations.md)
30 | 
31 | and the following software:
32 | 
33 | * [Mozilla Firefox](firefox_mitigations.md)
34 | * [Microsoft Edge](edge_mitigations.md)
35 | * [Google Chrome](chrome_mitigations.md)
36 | * [Microsoft Office](office_mitigations.md)
37 | 
38 | and the following libraries:
39 | 
40 | * [glibc](glibc_mitigations.md)
41 | * [Microsoft .NET Framework](dotnet_mitigations.md)
42 | 
43 | and the following hardware:
44 | 
45 | * [ARM](arm_mitigations.md)
46 | 
47 | # Motivations
48 | 
49 | It has become challenging to follow when certain mitigations are added in an update and/or backported to some older versions of various software and hardware.
50 | 
51 | Sometimes, online content becomes deprecated due to mitigation changes and it can be hard to keep up. Also, it is easy to forget after a short time if you don't work on a specific software/hardware.
52 | 
53 | We have been filling this gap by tracking all the mitigations in summary tables that hold the mitigations names and linking to online references to get technical information about them.
54 | 
55 | The shared information has demonstrated to be useful for several years to exploit developers.
56 | 
57 | # Does my current environment have mitigation X?
58 | 
59 | This is a common question any exploit developer may have when trying to develop an exploit for a given target. 
60 | 
61 | E.g. let's say you want to exploit a Windows kernel driver on Windows 7 x64 containing a kernel NULL pointer dereference bug. Is it exploitable?
62 | 
63 | Checking our table, we read the "NULL page mitigation" was introduced in "Windows 8 32-bit/64-bit and backported to Vista+ 64-bit". Now we know it depends if our target Windows 7 x64 is up-to-date or not, more precisely, we can focus on figuring out which KB introduces this mitigation and check our target against that KB!
64 | 
65 | # Final words
66 | 
67 | We do accept pull requests so feel free to do so :)
68 | 
69 | We do have other targets in our private pipeline too so reach out if you are interested in another particular one :)
70 | 


--------------------------------------------------------------------------------
/android_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all Android versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | 2.3 |	Binaries compiled with non-executable stack and heap | [26][26] |
 6 | | 2.3 |	Stack ramdomized |	? |
 7 | | 4.0 |	Libraries randomized |	? |
 8 | | 4.0.2 |	Heap randomized | ? |
 9 | | unknown | Executables randomized | [24][24] |
10 | | 4.1 |	default umask 0077 | ? |
11 | | 4.1 |	Linker randomised |	? |
12 | | 4.1 |	isolatedProcess introduction |	? |
13 | | 4.1.1 |	mmap_min_addr increased to 32768 	| ? |
14 | | 4.1.1 |	/proc/kallsyms not available. kptr_restrict to control it. | [9][9] [10][10] [11][11] |
15 | | 4.3 |	SELinux in permissive mode |	? |
16 | | 4.3 |	deletion of setuid/setgid binaries |	? |
17 | | 4.3 |	deletion of Linux capabilities in dans zygote/adbd | ? |
18 | | 4.4 |	SELinux in enforcing mode to crucial domains |	? |
19 | | 5.0 |	SELinux in enforcing mode to all domains |	[12][12] |
20 | | 6.x? |	isolatedApplicationData | [13][13] |
21 | | 6.x? |	preventAppDataExecution | [1][1] |
22 | | N |	UndefinedBehaviorSanitizer (UBSan) allowing Integer Overflow Sanitization (IntSan) in media stack 	| [2][2] [3][3] |
23 | | N |	mediaserver containment / some media services are in their individual service processes (sandboxed) |	[4][4] [5][5] |
24 | | ? |	trustzone |	[6][6] |
25 | | O |	Privileged Access Never (PAN) emulation |	[7][7] [8][8] |
26 | | O |	Hardened usercopy (w/o whitelist) |	[7][7] [8][8] |
27 | | O |	Post-init read-only memory (__ro_after_init) |	[7][7] [8][8] |
28 | | O |	Kernel Address Space Layout Randomization (KASLR) |	[8][8] |
29 | | O |	media service processes converted into HALs |	[5][5] [15][15] |
30 | | O |	SECURE_DELETE on SQLite databases |	[16][16] |
31 | | O |	Control Flow Integrity (CFI) in select components |	[3][3] |
32 | | P |	Control Flow Integrity (CFI) in more components by default (media framework, NFC, Bluetooth) 	| [3][3] [17][17] [5][5] |
33 | | P |	Kernel Control Flow Integrity (kCFI) into Android common kernel |	[3][3] [14][14] |
34 | | P |	Integer Overflow Sanitization (IntSan) in more libraries (libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, libreverbwrapper) and reduced performance overhead by 75% |	[3][3] |
35 | | 10 |	software media codecs moved into constrained sandbox in system service (mediaswcodec sandbox, based on SELinux and seccomp, no access to device drivers) |	[5][5] |
36 | | 10 |	LLVM's bound sanitizer (BoundSan) to fail safely when array's overflow, at compile time, enabled on 11 media codecs and Bluetooth's stack |	[5][5] |
37 | | 10 |	Integer Overflow Sanitization (IntSan) to fail safely when integer overflow, at compile time in all media framework |	[5][5] |
38 | | 10 |	LLVM's Shadow Call Stack (SCS) to protect return addresses (x18 register) in Bluetooth stack and some parts of the kernel |	[5][5] |
39 | | 10 |	eXecute-Only Memory (XOM) makes code unreadable for Aarch64, ARMv8.2+ and Linux 4.9+ devices |	[5][5]
40 | | 10 |	Scudo Hardened Allocator (resilience against UAF, double-frees, BOF, heap sprays) enabled in media extractors and codecs  | [5][5] |
41 | | unknown | Stack Protector Strong | [18][18] |
42 | | unknown | RELRO/NOW | [19][19] [22][22] [23][23] |
43 | | unknown | -Wl,--fatal-warnings and -Wl,--warn-shared-textrel | [20][20] | 
44 | | unknown | -D_FORTIFY_SOURCE | [21][21] |
45 | | unknown | -Werror=format-security | [25][25] |
46 | | 11 | DebugFS not present in kernel config | [27] [28] |
47 | 
48 | [1]: https://android-review.googlesource.com/#/c/169950/
49 | [2]: http://android-developers.blogspot.co.uk/2016/05/hardening-media-stack.html
50 | [3]: https://android-developers.googleblog.com/2018/06/compiler-based-security-mitigations-in.html
51 | [4]: http://android-developers.blogspot.co.uk/2016/05/hardening-media-stack.html
52 | [5]: https://android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html
53 | [6]: http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/
54 | [7]: https://twitter.com/CopperheadOS/status/900151927610232832
55 | [8]: https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.html
56 | [9]: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=455cd5ab305c90ffc422dd2e0fb634730942b257
57 | [10]: http://insitusec.blogspot.co.uk/2013/01/kallsyms-on-android.html
58 | [11]: https://www.duosecurity.com/blog/exploit-mitigations-in-android-jelly-bean-4-1
59 | [12]: http://source.android.com/devices/tech/security/selinux/index.html
60 | [13]: https://android-review.googlesource.com/#/c/171970/
61 | [14]: https://android-review.googlesource.com/q/topic:android-4.14-cfi
62 | [15]: https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
63 | [16]: https://twitter.com/CopperheadOS/status/900206828683964417
64 | [17]: https://android.googlesource.com/platform/build/+/e003a0a6cec52c2a8bd561673509f3a34bc5c052/target/product/cfi-common.mk
65 | [18]: https://android.googlesource.com/platform/build/+/8765b1035f813be2c26988a73cf3e9815aa5adf6
66 | [19]: https://android.googlesource.com/platform/build/+/45545761d20e1eab324b8ce302afceb9c440c2a3
67 | [20]: https://android.googlesource.com/platform/build/+/46ed4aa58b9674aadf75b4c35d0394831bbe6bad
68 | [21]: https://android-developers.googleblog.com/2017/04/fortify-in-android.html
69 | [22]: https://android.googlesource.com/platform/build/+/ecb1a565849b40ab7aa45b7fe71e24e29a059376
70 | [23]: https://android.googlesource.com/platform/build/+/233d460f21d372f964f8078b8b0d5fd17af7c6b6
71 | [24]: https://android.googlesource.com/platform/build/+/026a85b129e4540a4d8d40aace47aa0c69f609da
72 | [25]: https://android.googlesource.com/platform/build/+/d868cad8284730bd902a354a984dc57c870802fc
73 | [26]: https://android.googlesource.com/platform/build/+/2915cc3e323a9bf86e1a20b201ceb4e9529bc5a2
74 | [27]: https://twitter.com/jeffvanderstoep/status/1430824324261466115
75 | [28]: https://source.android.com/setup/start/android-11-release#debugfs


--------------------------------------------------------------------------------
/arm_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in the ARM architecture.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | Armv7-A |	Privileged Execute Never (PXN) (ARM's version of SMEP) | ? |
 6 | | Armv8.1-A | Privileged Access Never (PAN) (ARM's version of SMAP) |	 [7] |
 7 | | Armv8.3-A | Pointer Authentication (ensure function returns to expected location) | [1] [2] [3] [4] |
 8 | | Armv8.5-A (2018) | Memory Tagging | [5] [6] |
 9 | | Armv8.5-A (2018) | Branch Target Indicators (BTI) (CFI-like feature) | [5] |
10 | | Aarch64 and multiple gcc versions (2023) | GCC's -fstack-protector failed to guard dynamically-sized local variables | [8] [9] |
11 | 
12 | [1]: https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a
13 | [2]: https://twitter.com/WillDeacon/status/1077940843879849986?s=03
14 | [3]: https://twitter.com/jfbastien/status/1187480501017165826
15 | [4]: https://github.com/apple/llvm-project/pull/14
16 | [5]: https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a
17 | [6]: https://en.wikichip.org/wiki/arm/mte
18 | [7]: https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/the-armv8-a-architecture-and-its-ongoing-development
19 | [8]: https://mastodon.social/@Azeria/111053168811826637
20 | [9]: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
21 | 
22 | 


--------------------------------------------------------------------------------
/chrome_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all Chrome versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | Chrome ? Linux/Android 2016 | CFI | [1] |
 6 | | Chrome ? Windows 2020 | CFG | [2] [3] [8] |
 7 | | Chrome ? Windows | Sandbox forced image address load randomization | [3] |
 8 | | Chrome ? Windows | Sandbox win32k.sys lockdown | [3] |
 9 | | Chrome ? Windows | Sandbox non-system font restriction | [3] |
10 | | Chrome ? Windows | Sandbox site isolation | [3] [7] |
11 | | Chrome ? Windows | Sandbox bottom-up ASLR | [3] |
12 | | Chrome ? Windows | Sandbox high entropy ASLR | [3] |
13 | | Chrome ? Windows | Sandbox strict handle checks | [3] |
14 | | Chrome ? Windows | Sandbox low box token | [3] |
15 | | Chrome 90 Windows | Hardware-enforced Stack Protection using Control-flow Enforcement Technology (CET) | [3] [4] [5] |
16 | | Chrome ? | site isolation | ? |
17 | | Chrome ? | Automatic stock variable initialization | ? |
18 | | Chrome ? | V8 Heap Sandbox aka Ubercage | [6] |
19 | 
20 | 
21 | [1]: https://www.chromium.org/developers/testing/control-flow-integrity
22 | [2]: https://bugs.chromium.org/p/chromium/issues/detail?id=584575 
23 | [3]: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/design/sandbox.md#Process-mitigation-policies
24 | [4]: https://twitter.com/arw/status/1389632865852293123
25 | [5]: https://security.googleblog.com/2021/05/enabling-hardware-enforced-stack.html
26 | [6]: https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit
27 | [7]: https://security.googleblog.com/2021/07/protecting-more-with-site-isolation.html
28 | [8]: https://twitter.com/JosephBialek/status/1461480508894765058


--------------------------------------------------------------------------------
/dotnet_mitigations.md:
--------------------------------------------------------------------------------
1 | We list mitigations added in all Microsoft .NET framework versions.
2 | 
3 | | Version (and date) | Mitigation | References |
4 | |--------------------|------------|------------------------------------------|
5 | | MS12-035 | check the type being set during the ISerializable.GetObjectData call is in an assembly signed with the same public key (avoid partial trust abusing round-trip serialization) | [1] |
6 | 
7 | 
8 | [1]: https://web.archive.org/web/20210206071224/https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf


--------------------------------------------------------------------------------
/edge_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all Edge versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | Edge XXX in Windows 10 1511 |	Code Integrity Guard (CIG) introduced |	[1][1] |
 6 | | Edge XXX in Windows 10 1607 |	CIG feature: Preventing child process creation | [2][2] |
 7 | | Edge XXX in Windows 10 Creators Update | CIG feature: Enabling the CIG policy sooner | [2][2] |
 8 | | Edge XXX in Windows 10 ??? | Arbitrary Code Guard (ACG) introduced |	[2][2] |
 9 | | Edge XXX in Windows 10 Insider Preview Build 16188 | Hypervisor Isolation of Edge | [3][3] [4][4] |
10 | | Edge 76.0.155.0 (Canary) in Windows 10 ??? | Super Duper Secure Mode | [5] |
11 | 
12 | [1]: https://blog.mozilla.org/futurereleases/2016/12/21/update-on-multi-process-firefox/
13 | [2]: https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/
14 | [3]: https://twitter.com/dwizzzleMSFT/status/860179443871997953
15 | [4]: https://blogs.windows.com/windowsexperience/2017/05/04/announcing-windows-10-insider-preview-build-16188-pc-build-15210-mobile/
16 | [5]: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/
17 | 


--------------------------------------------------------------------------------
/firefox_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all Firefox versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | Firefox 50 (Windows only) | Sandboxing | [1][1] |
 6 | | Firefox >= 56 | (some) Portions of Firefox are written in Rust (Oxidation Project) | [2][2] |
 7 | | Firefox Nightly only | Site Isolation/Sandboxing (Fission Project) (Not complete) | [3][3] |
 8 | 
 9 | [1]: https://blog.mozilla.org/futurereleases/2016/12/21/update-on-multi-process-firefox/
10 | [2]: https://wiki.mozilla.org/Oxidation
11 | [3]: https://wiki.mozilla.org/Project_Fission


--------------------------------------------------------------------------------
/freebsd_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all FreeBSD versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | ? | Address Space Layout Randomization (ASLR) | [1][1] [2][2] [3][3] |
 6 | | ? | Intel SMAP/SMEP | [4][4] |
 7 | 
 8 | [1]: https://twitter.com/FreeBSDHelp/status/1094793775941992448
 9 | [2]: https://svnweb.freebsd.org/base?view=revision&revision=343964
10 | [3]: https://svnweb.freebsd.org/base?view=revision&revision=344121
11 | [4]: https://wiki.freebsd.org/SummerOfCode2014/IntelSMAPandKernelPatching


--------------------------------------------------------------------------------
/glibc_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in glibc.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | glibc 2.5 | Introduce PTR_MANGLE to prevent atext() and setjmp() overwrites | [1][1] |
 6 | | glibc 2.18 | Harden against PTR_MANGLE bypass in static executables | [2][2] |
 7 | | glibc 2.22.90 | Harden against LD_POINTER_GUARD bypass in dynamically linked setuid binaries | [3][3] |
 8 | | glibc 2.24 | Place libio vtables in a static read-only range that can be checked before execution |	[4][4] [5][5] [6][6] |
 9 | | glibc 2.32 | safe-linking for tcache and fastbin | [9][9] [11][11] |
10 | | glibc 2.34 | improvment for safe-linking for tcache | [7][7] [8][8] [10][10] [12][12] |
11 | 
12 | [1]: https://www.sourceware.org/ml/libc-hacker/2005-12/msg00025.html
13 | [2]: http://hmarco.org/bugs/CVE-2013-4788.html
14 | [3]: http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html
15 | [4]: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=db3476aff19b75c4fdefbe65fcd5f0a90588ba51;hp=64ba17317dc9343f0958755ad04af71ec3da637b
16 | [5]: https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/
17 | [6]: https://www.coresecurity.com/blog/sapcar-heap-buffer-overflow-crash-exploit
18 | [7]: https://twitter.com/CarlosODonell/status/1412934369774276609
19 | [8]: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc859c304898a5ec72e0ba5269ed136ed0ea10e1
20 | [9]: https://research.checkpoint.com/2020/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive/
21 | [10]: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
22 | [11]: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a486d70ebcc47a686ff5846875eacad0940e41
23 | [12]: https://twitter.com/EyalItkin/status/1413057188269109254


--------------------------------------------------------------------------------
/img/example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/exploit_mitigations/d110216dd090956b5d801c8b5a03fe36afd5fc8c/img/example.png


--------------------------------------------------------------------------------
/iphone_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all iPhone versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | at least up to iPhone X |	no ASLR in BootROM/iBoot (this is not a mitigation but worth mentioning) | [1][1] [2][2] |
 6 | | at least up to iPhone X |	UNSECURE_MEMORY at a static address in BootROM/iBoot (this is not a mitigation but worth mentioning) | [2][2] |
 7 | | A9X i.e. >= iPad Pro, iPad 6th generation, iPhone 7 | W^X in BootROM/iBoot | [3][3] [4][4] |
 8 | | ? | ARMv8.3-PAuth | [5][5] [6][6] |
 9 | 
10 | [1]: https://twitter.com/alisaesage/status/1193267324242915328
11 | [2]: http://re.alisa.sh/notes/iBoot-address-space.html
12 | [3]: https://github.com/nccgroup/exploit_mitigations/issues/1
13 | [4]: https://www.theiphonewiki.com/wiki/Application_Processor#S8001_Apple_A9X
14 | [5]: https://twitter.com/matteyeux/status/1410500155204329473
15 | [6]: https://github.com/matteyeux/darwin-xnu/blob/master/doc/vmapple_pac.md


--------------------------------------------------------------------------------
/linux_mitigations.md:
--------------------------------------------------------------------------------
  1 | We list mitigations added in all Linux versions.
  2 | 
  3 | | Version (and date) | Mitigation | References |
  4 | |--------------------|------------|------------------------------------------|
  5 | | (optional patch) | grsecurity/PaX | [1] [2] |
  6 | | Linux ? (2013) | remove %n support in vsprintf() | [61] [62] |
  7 | | Linux 2.4.21-rc1 | Exec-Shield | [3] |
  8 | | Linux 2.6.8 |	Non-Executable Memory (NX) / DEP | [4] |
  9 | | Linux 2.6.12 | kernel.randomize_va_space. Address Space Layout Randomization (ASLR). | [5] |
 10 | | Linux 2.6.12 for i386 / Linux 2.6.23 for x86_64 | virtual syscalls (vsyscall) replaced by virtual Dynamic Shared Object (vDSO) | [72] |
 11 | | Linux 2.6.23 | (ineffective until 2019) 	kernel.mmap_min_addr. NULL page mitigation. Ineffective and easily bypassable (CVE-2019-9213) until 2019. | [6] [7] [8] |
 12 | | Linux 2.6.28 | kernel.kptr_restrict | [9] [10] [11] |
 13 | | Linux 2.6.37 | kernel.dmesg_restrict | [12] [13] [14] |
 14 | | Linux 3.0 + hardware needs support (>= Ivy Bridge architecture) |	Supervisor Mode Execution Prevention (SMEP) for x86 / x86_64 architectures. | [15] [16] [17] [18] |
 15 | | Linux 3.7 + hardware needs support | Supervisor Mode Access Prevention (SMAP) for x86 / x86_64 architectures. | [19] [20] |
 16 | | Linux 3.7 + hardware needs support | PXN (Privileged Execute-Never). Effectively SMEP (Supervisor Mode Execution Prevention) for ARM architectures. | [21] [22] [23] |
 17 | | Linux 3.14 (supported, but not enabled by default until kernel 4.12) | Kernel ASLR (KASLR) | [24] [25] |
 18 | | >= clang 3.7 |	Control Flow Integrity (CFI) | [26] |
 19 | | Linux 4.0 (optional kernel module) | Linux Kernel Runtime Guard (LKRG). Loadable kernel module that performs runtime integrity checking. | [27] |
 20 | | Linux 4.0 | pagemap: do not leak physical addresses to non-privileged userspace | [91] | 
 21 | | Linux 4.3 + hardware needs support | PAN (Privileged Access Never). Effectively SMAP (Supervisor Mode Access Prevention) for ARM architectures. | [28] |
 22 | | Linux 4.4 | kmem accounting (SLAB_ACCOUNT) added to cred_jar cache | [93] |
 23 | | Linux 4.8 | CONFIG_SLAB_FREELIST_RANDOM - freelist order randomized during initialization of a new slab (new set of pages for that region) | [83] [85] [93] |
 24 | | Linux 4.11 | CONFIG_STATIC_USERMODEHELPER - prevents the overwrite of `modprobe_path` (read-only) | [79][92] |
 25 | | Linux 4.11 | structleak plugin enforcing __user annotated struct zeroing | [92] |
 26 | | Linux 4.13 | Compile-time and run-time protectino for finding overflows (CONFIG_FORTIFY_SOURCE) | [29] |
 27 | | Linux 4.13 | Forced NULL-prefixed stack canary on 64-bit | [29] |
 28 | | Linux 4.13 | randomized structure layout (manual mode only) (randstruct gcc plugin) | [29] |
 29 | | Linux 4.13 | lower ELF_ET_DYN_BASE (32-bit only) | [29] |
 30 | | Linux 4.13 | kill iovec exploitation trick | [86] [87] [88] |
 31 | | Linux 4.14 | CONFIG_SLAB_FREELIST_HARDENED - encoded freelist next pointers | [84] |
 32 | | Linux 4.14 (optional patch) | Kernel Address Isolation to have Side-channels Efficiently Removed (KAISER) | [30] [31] |
 33 | | Linux 4.15 | Kernel Page Table Isolation (KPTI or PTI) (formerly KAISER) | [32] [33] [34] [35] |
 34 | | Linux 4.4.144 | Spectre v1 fix | [36] [37] [38] |
 35 | | Linux ? | hardened usercopy (CONFIG_HARDENED_USERCOPY) | [79] [93] |
 36 | | Linux 4.16 | usercopy hardened for info leaks (CONFIG_HARDENED_USERCOPY with useroffset and usersize) | [93] |
 37 | | Linux 4.16 | special-purpose caches matching sizes of general-purpose caches not mergeable with them when kmem accounting (SLAB_ACCOUNT) used for these special-purpose caches. NOTE: From 5.9 and before 5.14, kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches again mergeable with other special-purpose caches. | [93] [94] |
 38 | | Linux 4.18 | allocation overflow detection helpers | [39] [40] |
 39 | | Linux 4.18 | Removing open-coded multiplication from memory allocation arguments | [41] [40] |
 40 | | Linux 5.1 | CR4 Pinning. Prevents modification of sensitive CR4 bits, preventing SMEP/SMAP bypass via native_write_cr4. | [42] [43] |
 41 | | Linux 5.3 | Heap auto initialization | [44] [45] |
 42 | | Linux 5.4 | PAC on arm64: return address signing | [46] [47] |
 43 | | Linux 5.4 | Lockdown module | [63] [64] [65] |
 44 | | Linux 5.4 | Automatically mitigate X86_BUG_ITLB_MULTIHIT (iTLB Multihit) | [66] [67] [68] |
 45 | | Linux 5.4 | Mitigate TSX Async Abort | [67] [69] [70] [71] |
 46 | | Linux ? | kernel stack base offset randomization | [50] [51] |
 47 | | Linux 5.7 | SLAB free pointer moved to middle of object | | [89][89] [90][90]
 48 | | Linux 5.9 | seccomp user_notif file descriptor injection | [52] [53] |
 49 | | Linux 5.9 | zero-initialize stack variables with Clang | [52] [53] |
 50 | | Linux 5.9 | common syscall entry/exit routines | [52] [53] |
 51 | | Linux 5.9 | SLAB kfree() hardening | [52] [53] |
 52 | | Linux 5.9 | new CAP_CHECKPOINT_RESTORE capability | [52] [53] |
 53 | | Linux 5.9 | debugfs boot-time visibility restriction | [52] [53] |
 54 | | Linux 5.9 | more seccomp architecture support | [52] [53] |
 55 | | Linux 5.9 | new tasklet API | [52] [53] |
 56 | | Linux 5.9 | x86 FSGSBASE implementation | [52] [53] |
 57 | | Linux 5.9 | filter x86 MSR writes | [52] [53] |
 58 | | Linux 5.9 | uninitialized_var() macro removed | [52] [53] |
 59 | | Linux 5.9 | function pointer cast removals | [52] [53] |
 60 | | Linux 5.9 | flexible array conversions | [52] [53] |
 61 | | Linux 5.9 | (regression) kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches mergeable (again) with other special-purpose caches. | [93] [94] |
 62 | | Linux ? | Linux Kernel Runtime Guard (LKRG) | [54] [55] [73] [74] [75] |
 63 | | Linux XXX | vm.unprivileged_userfaultfd / userfaultfd() forbidden to unprivileged users | [81] [82] |
 64 | | Linux 5.11 | vm.unprivileged_userfaultfd / userfaultfd() restrict unprivileged users to handle faults in user space | [77] [80] |
 65 | | Linux 5.13 | randomize #kernel stack offset each syscall | [56] [57] |
 66 | | Linux 5.13 | /dev/kmem removed entirely | [58] [59] [60] |
 67 | | Linux 5.14 | kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches not mergeable (again) with other special-purpose caches. | [93] [94] |
 68 | | Linux TDB | Function Granular KASLR (FGKASLR) |[48] [49] [76] [78] [89] |
 69 | | Linux XXX | SLAB_RANDOM (or slab_rand?) | XXX |
 70 | | Linux XXX | SLAB_HARDENED | XXX |
 71 | | Linux XXX | CONFIG_SLAB_MERGE_DEFAULT | XXX |
 72 | | Linux XXX | CONFIG_SHUFFLE_PAGE_ALLOCATOR | XXX |
 73 | | Linux TDB | Randomized slab caches for kmalloc() | [95] |
 74 | | Ubuntu 24.04 | Unprivileged user namespace restrictions | [96] [97] |
 75 | 
 76 | [1]: https://grsecurity.net/
 77 | [2]: https://github.com/hardenedlinux/hardenedlinux_profiles
 78 | [3]: http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield
 79 | [4]: https://lwn.net/Articles/422487/
 80 | [5]: https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
 81 | [6]: https://wiki.debian.org/mmap_min_addr
 82 | [7]: https://lwn.net/Articles/342330/
 83 | [8]: https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
 84 | [9]: https://marc.info/?l=linux-kernel&m=129306980917336&w=2
 85 | [10]: https://sysctl-explorer.net/kernel/kptr_restrict/
 86 | [11]: https://wiki.archlinux.org/index.php/Security#Restricting_access_to_kernel_pointers_in_the_proc_filesystem
 87 | [12]: https://marc.info/?l=linux-kernel&m=128943183202231&w=2
 88 | [13]: https://wiki.archlinux.org/index.php/Security#Restricting_access_to_kernel_logs
 89 | [14]: https://www.cyberciti.biz/faq/how-to-prevent-unprivileged-users-from-viewing-dmesg-command-output-on-linux/
 90 | [15]: https://xairy.github.io/blog/2016/cve-2016-2384
 91 | [16]: https://web.archive.org/web/20160803075007/https://www.ncsi.com/nsatc11/presentations/wednesday/emerging_technologies/fischer.pdf
 92 | [17]: http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
 93 | [18]: https://patents.google.com/patent/US20150199198A1/en
 94 | [19]: https://xairy.github.io/blog/2016/cve-2016-2384
 95 | [20]: https://lwn.net/Articles/517251/
 96 | [21]: https://grsecurity.net/recent_arm_security_improvements
 97 | [22]: https://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/
 98 | [23]: https://patchwork.kernel.org/patch/5151581/
 99 | [24]: https://lwn.net/Articles/569635/
100 | [25]: https://lwn.net/Articles/444556/
101 | [26]: https://blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/
102 | [27]: https://www.openwall.com/lkrg/
103 | [28]: https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/the-armv8-a-architecture-and-its-ongoing-development
104 | [29]: https://outflux.net/blog/archives/2017/09/05/security-things-in-linux-v4-13/
105 | [30]: https://github.com/IAIK/KAISER
106 | [31]: https://lwn.net/Articles/738975/
107 | [32]: https://outflux.net/blog/archives/2018/01/04/smep-emulation-in-pti/
108 | [33]: https://outflux.net/blog/archives/2018/02/05/security-things-in-linux-v4-15/
109 | [34]: https://lwn.net/Articles/741878/
110 | [35]: https://lwn.net/Articles/752621/
111 | [36]: https://twitter.com/grsecurity/status/998892187185221635
112 | [37]: https://twitter.com/grsecurity/status/1022068465434279937
113 | [38]: https://www.spinics.net/lists/stable/msg214223.html
114 | [39]: https://twitter.com/kees_cook/status/1031722563267977216
115 | [40]: https://outflux.net/blog/archives/2018/08/20/security-things-in-linux-v4-18/
116 | [41]: https://twitter.com/kees_cook/status/1031722563267977216
117 | [42]: https://www.phoronix.com/scan.php?page=news_item&px=Linux-Protect-Special-CR4-Bits
118 | [43]: https://www.openwall.com/lists/kernel-hardening/2019/02/26/1
119 | [44]: https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/
120 | [45]: https://twitter.com/kees_cook/status/1195154558126903297
121 | [46]: https://lwn.net/ml/linux-arm-kernel/1571300065-10236-1-git-send-email-amit.kachhap@arm.com/
122 | [47]: https://twitter.com/_trou_/status/1196768017222373378
123 | [48]: https://lore.kernel.org/kernel-hardening/20200205223950.1212394-1-kristen@linux.intel.com/
124 | [49]: https://twitter.com/kees_cook/status/1225316867956301826
125 | [50]: https://twitter.com/kees_cook/status/1242551634934116352
126 | [51]: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/T/#md9206ba41595ae0f8c56f6b319d68580a9f3d804
127 | [52]: https://twitter.com/kees_cook/status/1379215650887901190
128 | [53]: https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/
129 | [54]: https://twitter.com/Openwall/status/1381707683351441412
130 | [55]: https://www.openwall.com/lists/announce/2021/04/12/1
131 | [56]: https://twitter.com/kernellogger/status/1387065275376410628
132 | [57]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eea2647e74cd7bd5d04861ce55fa502de165de14
133 | [58]: https://twitter.com/kernellogger/status/1392107920410742785
134 | [59]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bbcd53c960713507ae764bf81970651b5577b95a
135 | [60]: https://lwn.net/Articles/851531/
136 | [61]: https://twitter.com/kees_cook/status/1407145810823835649
137 | [62]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9196436ab2f713b823a2ba2024cb69f40b2f54a5
138 | [63]: https://www.zdnet.com/article/linux-to-get-kernel-lockdown-feature/
139 | [64]: https://thenewstack.io/linux-kernel-finally-gets-its-lockdown/
140 | [65]: https://mjg59.dreamwidth.org/55105.html
141 | [66]: https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-bonito-4.9-android10/Documentation/hw-vuln/multihit.rst
142 | [67]: https://www.phoronix.com/scan.php?page=news_item&px=iITLB-Multihit-TAA-Kernel-Code
143 | [68]: https://www.kernel.org/doc/html/v5.4/admin-guide/hw-vuln/multihit.html
144 | [69]: https://www.kernel.org/doc/html/v5.4/admin-guide/hw-vuln/tsx_async_abort.html
145 | [70]: https://access.redhat.com/articles/tsx-asynchronousabort
146 | [71]: https://seclists.org/oss-sec/2019/q4/67
147 | [72]: https://blog.linuxplumbersconf.org/2016/ocw/system/presentations/3711/original/LPC_vDSO.pdf
148 | [73]: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
149 | [74]: https://github.com/openwall/lkrg
150 | [75]: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf
151 | [76]: https://lwn.net/Articles/824307/
152 | [77]: https://kernelnewbies.org/Linux_5.11#Core_.28various.29
153 | [78]: https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.16-Preps-For-FGKASLR
154 | [79]: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html
155 | [80]: https://lwn.net/Articles/819834/
156 | [81]: https://patchwork.kernel.org/project/linux-fsdevel/patch/20190319030722.12441-2-peterx@redhat.com/#22602327
157 | [82]: https://www.kernel.org/doc/Documentation/sysctl/vm.txt
158 | [83]: https://mxatone.medium.com/randomizing-the-linux-kernel-heap-freelists-b899bb99c767
159 | [84]: https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/
160 | [85]: https://lwn.net/Articles/685047/
161 | [86]: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
162 | [87]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09fc68dc66f7597bdc8898c991609a48f061bed5
163 | [88]: https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
164 | [89]: https://lore.kernel.org/linux-mm/202003051624.AAAC9AECC@keescook/t/
165 | [90]: https://www.willsroot.io/2022/01/cve-2022-0185.html
166 | [91]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce
167 | [92]: https://outflux.net/blog/archives/2017/05/02/security-things-in-linux-v4-11/
168 | [93]: https://duasynt.com/blog/linux-kernel-heap-feng-shui-2022
169 | [94]: http://twitter.com/andreyknvl/status/1534622298593951746
170 | [95]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c6152940584290668b35fa0800026f6a1ae05fe
171 | [96]: https://x.com/andreyknvl/status/1792301207651783021
172 | [97]: https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890
173 | 


--------------------------------------------------------------------------------
/office_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all Microsoft Office versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | ? |	Protected View | ? |
 6 | | Office 2016 (version ?) |	Flash, Silverlight, and Shockwave controls blocked by default |	[1][1] |
 7 | 
 8 | [1]: https://support.office.com/en-us/article/flash-silverlight-and-shockwave-controls-blocked-in-office-2016-55738f12-a01d-420e-a533-7cef1ff6aeb1
 9 | 
10 | 


--------------------------------------------------------------------------------
/openbsd_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all OpenBSD versions.
 2 | 
 3 | | Version (and date) | Mitigation | References |
 4 | |--------------------|------------|------------------------------------------|
 5 | | ? |	DEP 	| ? |
 6 | | ? |	ASLR 	| ? |
 7 | | >= OpenBSD 5.7 | Removed procfs entirely | [8][8], [9][9], [10][10] |
 8 | | >= OpenBSD 5.9 |	Pledge — restrict system operations | [1][1] |
 9 | | >= OpenBSD 6.4 |	RETGUARD to clang/amd64 | [2][2] |
10 | | OpenBSD ??? |	int03 added to prologues to "disable" ROP gadgets |	[2][2] |
11 | | OpenBSD 6.4 |	Disable Intel Hyper Threading |	[2][2] [4][4] [5][5] [6][6] [7][7] |
12 | | OpenBSD 6.4? |	Misc. mitigations against speculative execution vulnerabilities | [3][3] |
13 | 
14 | [1]: https://man.openbsd.org/pledge.2
15 | [2]: https://marc.info/?l=openbsd-cvs&m=152824407931917&w=2
16 | [3]: http://undeadly.org/cgi?action=article;sid=20180724072257
17 | [4]: https://www.blackhat.com/us-18/briefings/schedule/#tlbleed-when-protecting-your-cpu-caches-is-not-enough-10149
18 | [5]: https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html
19 | [6]: https://twitter.com/cynicalsecurity/status/1009298428361310208
20 | [7]: https://twitter.com/phessler/status/1009459628915281920
21 | [8]: https://www.openbsd.org/plus57.html
22 | [9]: https://github.com/golang/go/issues/19453#issuecomment-285106970
23 | [10]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/mount_procfs/
24 | 


--------------------------------------------------------------------------------
/solaris_mitigations.md:
--------------------------------------------------------------------------------
 1 | We list mitigations added in all Solaris versions.
 2 | 
 3 | | Version (and date) | Mitigation | Platform | References |
 4 | |--------------------|------------|----------|-------------------------------|
 5 | | 2.6 (07/1997) | System-wide setting for non-executable stack (noexec_user_stack, NXSTACK) | SPARC | [1][1] [2][2] [3][3] |
 6 | | 7 (11/1998) | Separate kernel and user address space (KPTI) | SPARC (sun4u) | [4][4] |
 7 | | 9 (05/2002) | Link-time setting for non-executable stack (PT_SUNWSTACK) | SPARC | [5][5] |
 8 | | 10 (03/2005) | Link-time setting for non-executable stack (PT_SUNWSTACK) | x64 | [5][5] |
 9 | | 10 (03/2005) | System-wide setting for non-executable stack (noexec_user_stack, NXSTACK) | x64 | [1][1]  |
10 | | 10 (03/2005) | PRIV_PROC_INFO & PRIV_PROC_SESSION privileges to limit procfs access | All | [24][24]  |
11 | | 11.0.0 (11/2011) | Immutable non-global zones | All | [19][19] |
12 | | 11.1.0 (10/2012), 10U11 (01/2013) | Supervisor Mode Execution Prevention (SMEP) | Intel | [6][6] |
13 | | 11.1.0 (10/2012) | Address Space Layout Randomization (ASLR) | All | [1][1] [6][6] |
14 | | 11.1.0 (10/2012) | sxadm tool to manage mitigations | All | [1][1] [6][6] |
15 | | 11.2.0 (07/2014) | Immutable global zone | All | [20][20] |
16 | | 11.2.0 (07/2014) | Verified Boot | SPARC | [21][21] |
17 | | 11.2.8 (04/2015) | Application Data Integrity (ADI) | SPARC | [7][7] [8][8] [9][9] |
18 | | 11.3.0 (10/2015) | Non-executable heap (NXHEAP) | All | [1][1] [10][10] [11][11] |
19 | | 11.3.31 (04/2018) | Spectre V1 | All | [16][16] |
20 | | 11.4.0 (08/2018) | ADI checking for kernel heap (KADI) | SPARC | [1][1] [12][12] |
21 | | 11.4.0 (08/2018) | ADI checking for program heap (ADIHEAP) | SPARC | [1][1] [12][12] [13][13] [14][14] [18][18] |
22 | | 11.4.0 (08/2018) | ADI checking for stack (ADISTACK) | SPARC | [1][1] [12][12] [13][13] [15][15] |
23 | | 11.4.0 (08/2018) | Spectre V2 (IBPB, IBRS) | Intel | [1][1] [17][17] |
24 | | 11.4.0 (08/2018) | Kernel Page Table Isolation (KPTI) | Intel | [1][1] [17][17] |
25 | | 11.4.0 (08/2018) | Supervisor Mode Access Prevention (SMAP) | Intel | [1][1] |
26 | | 11.4.0 (08/2018) | Application Sandboxing | All | [22][22] [23][23] |
27 | | 11.4.3 (11/2018) | Level 1 Data Cache Flush (L1DF) | Intel | [1][1] [17][17] |
28 | | 11.4.3 (11/2018) | Speculative Store Bypass Disable (SSBD) | Intel | [1][1] [17][17] |
29 | | 11.4.5 (01/2019) | PRIV_PROC_SELF privilege to further limit procfs access | All | [24][24]  |
30 | | 11.4.15 (11/2019) | Microarchitectural Data Sampling Avoidance (MD_CLEAR) | Intel | [1][1] [17][17] |
31 | | 11.4.18 (02/2020) | Return Stack Buffer Speculation Mitigation (RSBS) | All  | [1][1] [17][17] |
32 | | 11.4.21 (05/2020) | IFU Mitigation (CVE-2018-12207) | Intel | [1][1] [17][17] |
33 | | 11.4.25 (09/2020) | TSX Disabled (TSX_DISABLE) | Intel | [1][1] [17][17] |
34 | | 11.4.30 (02/2021) | User-Mode Instruction Prevention (UMIP) | Intel | [1][1] |
35 | | 11.4.42 (02/2022) | Kernel Page Table Isolation (KPTI) | AMD | [1][1] |
36 | 
37 | These mitigations are implemented in hardware, microcode, or firmware -- the
38 | entries below reflect when they were made visible as read-only extensions in
39 | sxadm, though they may be in effect but not visible with earlier OS versions
40 | running on top of mitigated hardware, microcode, or firmware.
41 | 
42 | | Version (and date) | Mitigation | Platform | References |
43 | |--------------------|------------|----------|-------------------------------|
44 | | 11.4.0 (08/2018) | Spectre V2 (HW_BTI) | SPARC | [1][1] [17][17] |
45 | | 11.4.5 (01/2019) | Speculative Store Bypass Disable (SSBD) | SPARC | [1][1] [17][17] |
46 | | 11.4.9 (05/2019) | Rogue Data Cache (Meltdown) Avoidance (RDCL_NO) | Intel | [1][1] [17][17] |
47 | | 11.4.15 (11/2019) | Microarchitectural Data Sampling Avoidance (MDS_NO) | Intel | [1][1] [17][17] |
48 | | 11.4.21 (05/2020) | IFU Hardware Mitigation (IF_PSCHANGE_MC_NO) | Intel | [1][1] [17][17] |
49 | | 11.4.25 (09/2020) | TSX Asynchronous Abort (TAA) Hardware Avoidance (TAA_NO) | Intel | [1][1] [17][17] |
50 | 
51 | 
52 | [1]: https://docs.oracle.com/cd/E88353_01/html/E72487/sxadm-8.html
53 | [2]: https://docs.oracle.com/cd/E19455-01/806-6779/appendixa-21/index.html
54 | [3]: https://docs.oracle.com/cd/E37838_01/html/E61034/chapter2-2.html#OSTUNchapter2-26
55 | [4]: https://www.google.com/books/edition/_/r_cecYD4AKkC
56 | [5]: https://docs.oracle.com/cd/E19683-01/816-1386/chapter6-83432/index.html
57 | [6]: https://www.oracle.com/technetwork/server-storage/solaris11/documentation/solaris11-1-whatsnew-1732377.pdf
58 | [7]: https://docs.oracle.com/cd/E37069_01/html/E37085/gphwb.html
59 | [8]: https://lazytyped.blogspot.com/2017/09/getting-started-with-adi.html
60 | [9]: https://lazytyped.blogspot.com/2016/12/hardening-allocators-with-adi.html
61 | [10]: https://blogs.oracle.com/solaris/post/new-security-extensions-in-oracle-solaris-113
62 | [11]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-nx.html#scrolltoc
63 | [12]: https://docs.oracle.com/cd/E37838_01/html/E61059/gqajs.html
64 | [13]: https://lazytyped.blogspot.com/2017/09/adi-vs-rop.html
65 | [14]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-adiheap.html#scrolltoc
66 | [15]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-adistack.html#scrolltoc
67 | [16]: https://blogs.oracle.com/solaris/post/oracle-solaris-113-sru-31
68 | [17]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-platformsx.html#scrolltoc
69 | [18]: https://lazytyped.blogspot.com/2018/02/libcmalloc-meets-adiheap.html
70 | [19]: https://docs.oracle.com/cd/E23824_01/html/821-1460/glglv.html#scrolltoc
71 | [20]: https://docs.oracle.com/cd/E36784_01/html/E52463/golmb.html
72 | [21]: https://docs.oracle.com/cd/E36784_01/html/E52463/goioe.html#scrolltoc
73 | [22]: https://blogs.oracle.com/solaris/post/application-sandboxing-in-oracle-solaris-114
74 | [23]: http://blog.moellenkamp.org/archives/39-Labeled-Sandboxes.html
75 | [24]: https://docs.oracle.com/cd/E88353_01/html/E37853/privileges-7.html
76 | 


--------------------------------------------------------------------------------
/windows_mitigations.md:
--------------------------------------------------------------------------------
  1 | We list mitigations added in all Windows versions (from Windows XP up to latest Windows 10).
  2 | 
  3 | | Version (and date) | Mitigation | References |
  4 | |--------------------|------------|------------------------------------------|
  5 | | >= Windows XP SP2 and >= Windows Server 2003 SP1 | DEP in userland and kernel land | [1] [2] [167] |
  6 | | >= Windows XP SP2 and >= Windows Server 2003 SP1 | Non-executable SharedUserData | [3] |
  7 | | >= Windows Vista | Integrity Levels (IL) | [4] |
  8 | | >= Windows Vista | ASLR | [5] [5-2] [167] |
  9 | | >= Windows Vista | User-mode Drive Framework (now in WDF) to be able to write user space only drivers | [208] [209] [210] [211] |
 10 | | >= Windows XP SP2 with physical memory 508MB+ or >= Windows Vista | Delayed free list | [158] [153] [154] [155] [156] |
 11 | | Any 64-bit Windows | PagedPool is ReadWrite only (NX enabled) | [185] [186] |
 12 | | >= Windows Vista | SMB default configuration does not allow anonymous login to named pipes | [6] |
 13 | | Visual Studio 2003 >= XXX | SafeSEH | [7] [190] |
 14 | | Visual Studio 2003 >= XXX | GS stack cookie protection | [194] [195] |
 15 | | >= Windows Server 2008 (enabled by default) and >= Windows Vista SP1 (disabled by default). Disabled by default on workstation < Windows 10 v1709 and enabled by default on server versions. | Structured Exception Handling Overwrite Protector (SEHOP) | [191] [7] [8] [192] [193] |
 16 | | >= Internet Explorer 7 and >= Windows Vista | Protected Mode (PM) - Low IL | [9] |
 17 | | Windows Vista? 7? | Kernel ASLR (KASLR) | [10] [11] [160] |
 18 | | >= Internet Explorer 10 and >= Windows 8 | Enhanced Protected Mode (EPM) - AppContainer | [12] [13] [14] |
 19 | | >= Internet Explorer 10 and >= Windows 8 | ForceASLR | [15] |
 20 | | >= Windows 8, 64-bit processes | High Entropy ASLR (HEASLR) | [16] [17] |
 21 | | >= Internet Explorer 10 and >= Windows 8 | VTGuard | [18] [19] |
 22 | | Windows 7 | Safe Unlinking in the kernel pool allocator | [20] |
 23 | | Windows 8 or 8.1? | No-Execute (NX) Page Table Entries (PTE) | [159] |
 24 | | Windows 8 | Safe Unlinking in the linked lists used in the kernel | [21] [22] |
 25 | | >= Windows 8 | SMB default configuration does not allow anonymous login to IPC$ (IPC$ may be accessible but most commands cannot be used) | [23] |
 26 | | Windows 8 | Supervisor Mode Execution Prevention (SMEP) | [24] [149] [150] [151] [167] |
 27 | | Windows 8 32-bit/64-bit and backported to Vista+ 64-bit | NULL page mitigation | [25] [26] [27] [28] [29] [170] |
 28 | | Windows 8/8.1 (Server 2012) - patch XXX?? | HAL non executable (NX) | [30] |
 29 | | Windows 8 | No-Execute (NX) Nonpaged Pool | [31] [32] [33] |
 30 | | <= Internet Explorer 10 | Memory Protector (MP) | [34] |
 31 | | Edge and Internet Explorer 11 | MemGC | [35] |
 32 | | >= Windows 8.1 | ObTypeIndexTable Index 0 hardening | [36] |
 33 | | >= Windows 8.1 32-bit/64-bit (update KB3000850) or >= Office 16.0.7341.2032 or compiled with >= VS2015 | Control Flow Guard (CFG) a.k.a. Forward-edge CFI (Integrity) | [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [146] [166] [167] [168] [198] [199] [206] |
 34 | |  ? | Isolated Heap (only HTML/SVG/etc. elements accessible from JS, not helper/smaller objects) | [51] |
 35 | | >= Edge and Windows 10 v??? | Win32k syscall filter | [52] [53] [54] [55] [56] [57] [58] [59] [60] |
 36 | | Windows Vista | Kernel-Mode Code Signing (KMCS) a.k.a Digital Driver Signing | [147] [164] |
 37 | | Windows Vista | Kernel Patch Protection (KPP) aka PatchGuard | [148] |
 38 | | Windows 10 1703 or 1607 >= 14332 (August 2016) | Page Table Entry (PTE) location ramdomized (full KASLR) | [61] [62] [63] [64] [65] [180] [180-2] |
 39 | | >= Windows 10 1809 (Pro/Enterprise) and >= Edge 77 | Application Guard for Edge | [66] [67] [207] |
 40 | | Windows 10/Edge >= XX/XX/2016??? | Virtual Machines (VM) for Edge | [68] |
 41 | | Windows 10 >= XX/XX/2016??? | Services process isolation (out of SVCHOST.EXE) | [69] |
 42 | | Windows 10 >= XX/XX/2016??? | Shadow stack | [70] [71] |
 43 | | Windows 10/Edge >= XX/XX/2016??? | Prohibit dynamic code (VirtualAlloc RWX) | [72] [73] |
 44 | | Windows 10/Office 2016 (Version 16.11 Build 7571.2075) | Forbid child to create process | [74] |
 45 | | Windows 10/Edge | Out-of-process JIT | [75] [76] |
 46 | | Windows 10 v1607 (Build 14393) | NULL SecurityDescriptor kernel mitigation | [77] [78] |
 47 | | Windows 10 (Build 15002) | Exports are invalid CFG icall | [79] |
 48 | | Windows 10 (Build 15021 / Removed in Build 15031) | Return Flow Guard (RFG) | [80] [81] [82] [83] [84] |
 49 | | Windows 10 (Build 15025) | Strict CFG | [85] [86] |
 50 | | Windows 10 (Build 1703 Creators Update) | kCFG | [87] [152] |
 51 | | Windows 10 (Build ?) | Font parsing restricted to AppContainer | [88] [89] |
 52 | | Windows 10 (Build 16179) | Break LFH deterministic layouts | [90] [91] [188] [188-2] |
 53 | | Windows 10 64-bit (1703 Creators Update) (April 2017) | HAL randomized / No HAL Heap static mapping | [92] [93] |
 54 | | Internet Explorer 11 | Disable VBScript | [94] [95] [96] |
 55 | | Windows 10 (1703 Creators Update) | Arbitrary Code Guard (ACG) Enabled with PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON. Enabled by default in Edge only under certain conditions | [97] [98] [99] [180] [180-2] [213] |
 56 | | Windows 10 (16215) | Arbitrary Code Guard and Code Integrity Guard for most svchost.exe | [100] |
 57 | | Windows 10 (16215) | Isolated kernel stacks | [101] |
 58 | | Windows 10 (?) | BufferedIO output buffer is always zero'd | [102] [103] |
 59 | | Windows 10 RS3 (?) | EMET mitigations added to Win10 (Windows Defender Exploit Guard, etc.) | [104] [105] [106] [107] |
 60 | | Windows 10 RS4 | Split kernel/page directory tables | [108] [109] [110] |
 61 | | Windows 10 ??? | Fonts in userland and appcontainerized | [111] |
 62 | | Windows 10 RS4 (17063) | SGX2 Support (EAUG, EMODPR, etc) | [112] |
 63 | | Windows 10 ??? | Kernel Virtual Address (KVA) Shadow (== KPTI) | [113] [114] [172] [172-2] |
 64 | | Windows 10 ??? | Mitigations for speculative execution side channel vulnerabilities | [115] |
 65 | | Visual Studio 2017 version 15.5.5 or 15.6 Preview 4? | /Qspectre compiler option | [116] [117] |
 66 | | Windows 10 build 17692 (fast ring) (June 2018) | WPAD JavaScript sandboxing in AppContainer | [118] |
 67 | | Windows 10 Redstone 5 (June 2018) | Virtualization Based Security (VBS) enables Hypervisor Code Integrity (HVCI) and Driver Signature Enforcement (DSE) => block Capcom rootkit/other drivers | [119] [180] [180-2] |
 68 | | Windows 10 Build 17723 (Fast Ring) and 18204 (Skip Ahead) | heap-backed pool allocator (with randomization) | [120] |
 69 | | Windows 10 Build 19H1 | Limited Supervisor Mode Access Prevention (SMAP) in paths handling DISPATCH_LEVEL + interrupts | [121] [122] |
 70 | | Windows 10, version 1703 | Sandboxed Windows Defender (opt-in) | [123] [124] |
 71 | | >= Windows 10 v1709 | Structured Exception Handling Overwrite Protector (SEHOP) enabled by default | [193] |
 72 | | Windows 10 WIPFast build or compiled with /kernel | InitAll compiler feature. No uninitialized Plain-old-data (POD) structs on the stack | [125] [126]  [163]|
 73 | | Windows 10 Fall Creators Update (2017) | VBScript execution disabled in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default | [127] [128] |
 74 | | Windows 10 Pro or Enterprise Insider build 18305 | Windows Sandbox (run any application in isolation) | [129] [130] |
 75 | | Windows 10 build ??? (after 16299)| Windows Object Type encoding | [131] [132] |
 76 | | Windows 10 build ??? | eXtended Control Flow Guard (XFG): Validates call-targets by hash on target type | [133] [134] [180] [180-2] [181] [181-2] [183] [183-2] [204] [214] [222] [223] |
 77 | | Windows 10 build 17672 | Kernel pool moving towards Low Fragmentation Heap algorithm | [135] [136] |
 78 | | Windows 10 1809 build ??? | Threat-Intelligence Kernel APC Injection Sensor | [137] [138] [139] |
 79 | | Windows Insider Flight 18980  | kernel-mode and Hyper-V automatic initialization of scalars (pointers, int, etc.) | [140] |
 80 | | Windows 10 ??? (Oct 2019) | Virtualization Based Security (VBS) enabled by default | [141] [142] [180] [180-2] |
 81 | | Windows 10 1607 | tagWND.strName primitive mitigation | [144] |
 82 | | Windows 10 1709 | win32k object type isolation | [215] [216] [217] |
 83 | | Windows 10 1803 | win32k tagWND additional r/w primitive removal | [215] |
 84 | | Windows 10 1809 | win32k desktop heap user/kernel separation | [215] |
 85 | | Windows 10 1809 | kLFH (disable by default) | [143] |
 86 | | Windows 10 1903 | kLFH (enabled by default) | [218] |
 87 | | Windows 10 1903 | Userland Control-flow Enforcement Technology (CET) | [200] [201] [202] [203] |
 88 | | Windows 10 March 2020 | Hardlink mitigation (requires FILE_WRITE_ATTRIBUTES) | [157] |
 89 | | Windows 10 May 2020 and supported hardware | eXtended Flow Guard (XFG) (improved CFG) forward-edge CFI, can use Intel CET shadow stacks (only on supported hardware) | [145] [161] [161-2] [161-3] [165-2] [214] |
 90 | | Windows 10 ??? | No Uninitialized Stack | [162] [162-2] |
 91 | | Windows 10 ??? | Extreme Flow Guard (xFG) | [165] [165-2] [180] [180-2] [214] |
 92 | | Windows 10 21H1 | Kernel Data Protection (KDP) | [165] [165-2] [174] [174-2] [175] [175-2] [177] [177-2] |
 93 | | Windows 10 ??? | Vulnerable driver blocking | [169]|
 94 | | Windows 10 ??? | Zeroed kernel pool allocation | [171] [173] [173-2] [179] [182] [182-2] [187] [187-2] |
 95 | | Windows 10 21H1 | Authenticated Pointers (PAC) on ARM64 | [176] |
 96 | | Windows 10 21H1 | Dynamic relocations to allow user shared data to be relocated | [176] |
 97 | | Windows 10 21H1 | Kernel Mode TLS (Thread Local Storage) with PsTls* APIs | [176] |
 98 | | Windows 10 21H1 | Kernel Control-flow Enforcement Technology (CET) | [176] [180] [180-2] |
 99 | | Visual Studio 2019 ??? | ASan support for MSVC | [196] [197] |
100 | | Windows 10 ??? | Supervisor Mode Access Prevention (SMAP) | [178] [178-2] |
101 | | Windows 10 ??? | Randomized mapping of VTL0's KUSER_SHARED_DATA in ring0 VTL1 | [184] [189] |
102 | | Windows 10 ??? | Require graphics drivers developers to write user space only drivers | [208] |
103 | | Windows 11 (Build 22000) | Allows not following symlink for mount points (not default yet) | [202] |
104 | | Windows 11 (Build ???) | XTENDED_CONTROL_FLOW_GUARD, POINTER_AUTH_USER_IP, REDIRECTION_TRUST | [212] |
105 | | Windows 10 / Windows Server 2016 and 2019 | Keyboard and mouse disabled in session 0 | [219] [220] |
106 | | Windows 10 1803 / Windows 11 / Windows Server 2019 and 2022 | Interactive Services Detection Service (UI0Detect) binaries removed | [221] |
107 | 
108 | [1]: https://web.archive.org/web/20160114050453/https://support.microsoft.com/en-us/kb/875352
109 | [2]: http://www.alex-ionescu.com/?p=231
110 | [3]: http://www.uninformed.org/?v=3&a=4&t=sumry
111 | [4]: https://msdn.microsoft.com/en-us/library/bb625964.aspx
112 | [5]: http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf (dead)
113 | [5-2]: https://web.archive.org/web/20190715102700/http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf
114 | [6]: https://github.com/worawit/MS17-010/blob/master/BUG.txt#L324
115 | [7]: https://web.archive.org/web/20160306082550/http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx
116 | [8]: http://blogs.technet.com/b/srd/archive/2009/11/20/sehop-per-process-opt-in-support-in-windows-7.aspx
117 | [9]: https://blogs.msdn.microsoft.com/ie/2006/02/09/protected-mode-in-vista-ie7/
118 | [10]: https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/
119 | [11]: https://www.coresecurity.com/blog/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-1
120 | [12]: https://securityintelligence.com/internet-explorer-ie-10-enhanced-protected-mode-epm-sandbox-research
121 | [13]: https://www.blackhat.com/docs/asia-14/materials/Yason/WP-Asia-14-Yason-Diving-Into-IE10s-Enhanced-Protected-Mode-Sandbox.pdf
122 | [14]: http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx
123 | [15]: https://blogs.msdn.microsoft.com/ie/2012/03/12/enhanced-memory-protections-in-ie10/
124 | [16]: https://blogs.msdn.microsoft.com/ie/2012/03/12/enhanced-memory-protections-in-ie10/
125 | [17]: https://twitter.com/epakskape/status/1116415990064197632
126 | [18]: https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
127 | [19]: https://web.archive.org/web/20160408052558/http://download.microsoft.com/download/F/D/F/FDFBE532-91F2-4216-9916-2620967CEAF4/Software%20Vulnerability%20Exploitation%20Trends.pdf
128 | [20]: https://msrc-blog.microsoft.com/2009/05/26/safe-unlinking-in-the-kernel-pool/
129 | [21]: https://labs.nettitude.com/blog/exploiting-a-kernel-paged-pool-buffer-overflow-in-avast-virtualization-driver/
130 | [22]: https://msrc-blog.microsoft.com/2013/11/06/software-defense-safe-unlinking-and-reference-count-hardening/
131 | [23]: https://github.com/worawit/MS17-010/blob/master/BUG.txt#L380
132 | [24]: https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/
133 | [25]: https://seclists.org/fulldisclosure/2014/May/112
134 | [26]: http://www.mista.nu/research/nullpage.pdf
135 | [27]: https://blogs.technet.microsoft.com/srd/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit/
136 | [28]: http://www.ivanlef0u.tuxfamily.org/?p=355
137 | [29]: https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/
138 | [30]: https://www.risksense.com/wp-content/uploads/2018/05/EternalBlue_RiskSense-Exploit-Analysis-and-Port-to-Microsoft-Windows-10_v1_2.pdf
139 | [31]: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/no-execute-nonpaged-pool
140 | [32]: https://github.com/worawit/MS17-010/blob/master/BUG.txt#L447
141 | [33]: http://www.alex-ionescu.com/?p=231
142 | [34]: http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitability-of-ie-edge-crashes.aspx
143 | [35]: http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitability-of-ie-edge-crashes.aspx
144 | [36]: http://powerofcommunity.net/poc2018/nikita.pdf
145 | [37]: https://blogs.msdn.microsoft.com/vcblog/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature/
146 | [38]: http://www.powerofcommunity.net/poc2014/mj0011.pdf
147 | [39]: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively.pdf
148 | [40]: https://twitter.com/secbughunter/status/779022926481793025
149 | [41]: https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
150 | [42]: https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/
151 | [43]: https://improsec.com/blog//bypassing-control-flow-guard-in-windows-10
152 | [44]: https://twitter.com/Blomster81/status/823574428579725312
153 | [45]: https://improsec.com/blog//bypassing-control-flow-guard-on-windows-10-part-ii
154 | [46]: http://lucasg.github.io/2017/02/05/Control-Flow-Guard/
155 | [47]: https://medium.com/@mxatone/mitigation-bounty-introduction-e629168faaa3
156 | [48]: https://medium.com/@mxatone/mitigation-bounty-from-read-write-anywhere-to-controllable-calls-ca1b9c7c0130
157 | [49]: https://medium.com/@mxatone/mitigation-bounty-4-techniques-to-bypass-mitigations-2d0970147f83
158 | [50]: https://github.com/mxatone/mitigation-bounty
159 | [51]: https://twitter.com/ifsecure/status/1047935536210632706
160 | [52]: https://twitter.com/tiraniddo/status/719574422286430209
161 | [53]: https://twitter.com/Blomster81/status/831139824044212224
162 | [54]: https://improsec.com/blog//win32k-system-call-filtering-deep-dive
163 | [55]: https://twitter.com/real_redp/status/885532386930327552
164 | [56]: http://redplait.blogspot.co.uk/2017/07/win32k-calls-filtering-on-w10.html
165 | [57]: https://www.slideshare.net/PeterHlavaty/rainbow-over-the-windows-more-colors-than-you-could-expect
166 | [58]: https://github.com/CENSUS/windows_10_rs2_rs3_exploitation_primitives
167 | [59]: https://census-labs.com/media/windows_10_rs2_rs3_exploitation_primitives.pdf
168 | [60]: https://www.slideshare.net/PeterHlavaty/rainbow-over-the-windows-more-colors-than-you-could-expect
169 | [61]: https://twitter.com/aionescu/status/725388108187852800
170 | [62]: http://www.alex-ionescu.com/?p=323
171 | [63]: https://twitter.com/epakskape/status/864882030110138369
172 | [64]: https://twitter.com/codemachineinc/status/878795088201224192
173 | [65]: https://www.risksense.com/wp-content/uploads/2018/05/EternalBlue_RiskSense-Exploit-Analysis-and-Port-to-Microsoft-Windows-10_v1_2.pdf
174 | [66]: https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/
175 | [67]: https://twitter.com/fdfalcon/status/781146017299304448
176 | [68]: https://blogs.windows.com/msedgedev/2015/08/17/windows-10-virtual-machines-now-available-on-microsoft-edge-dev/
177 | [69]: http://www.bleepingcomputer.com/news/microsoft/windows-10-insider-preview-build-14942-for-pc-revamps-service-host/
178 | [70]: https://twitter.com/deroko_/status/805129818840977408
179 | [71]: http://deroko.phearless.org/shadow_stack.txt
180 | [72]: https://twitter.com/epakskape/status/808903359855992832
181 | [73]: https://twitter.com/dwizzzleMSFT/status/809436747310370816
182 | [74]: https://twitter.com/epakskape/status/811354880078057472
183 | [75]: https://twitter.com/epakskape/status/811653243981811713
184 | [76]: https://github.com/Microsoft/ChakraCore/pull/1561
185 | [77]: https://twitter.com/Danny__Wei/status/807797814864420864
186 | [78]: https://labs.nettitude.com/blog/analysing-the-null-securitydescriptor-kernel-exploitation-mitigation-in-the-latest-windows-10-v1607-build-14393/
187 | [79]: https://twitter.com/epakskape/status/818617656886497280
188 | [80]: https://twitter.com/_fkz/status/828959029418459136
189 | [81]: https://github.com/TheEragon/TinyReturnFlowGuard
190 | [82]: https://twitter.com/epakskape/status/831172683358285824
191 | [83]: https://twitter.com/epakskape/status/831178823391535104
192 | [84]: https://eyalitkin.wordpress.com/2017/08/18/bypassing-return-flow-guard-rfg/
193 | [85]: https://twitter.com/epakskape/status/827198236276371457
194 | [86]: https://twitter.com/epakskape/status/827197694456139776
195 | [87]: https://twitter.com/dwizzzleMSFT/status/853079695520284674
196 | [88]: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10
197 | [89]: https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/
198 | [90]: https://github.com/saaramar/Deterministic_LFH
199 | [91]: https://twitter.com/epakskape/status/857356958306676736
200 | [92]: https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/
201 | [93]: https://www.risksense.com/wp-content/uploads/2018/05/EternalBlue_RiskSense-Exploit-Analysis-and-Port-to-Microsoft-Windows-10_v1_2.pdf
202 | [94]: https://blogs.windows.com/msedgedev/2017/04/12/disabling-vbscript-execution-in-internet-explorer-11/
203 | [95]: https://twitter.com/JosephBialek/status/1158854357279895552
204 | [96]: https://blogs.windows.com/msedgedev/2019/08/02/update-disabling-vbscript-internet-explorer-windows-7-8/amp/?__twitter_impression=true
205 | [97]: https://twitter.com/epakskape/status/862745436158697472
206 | [98]: https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx
207 | [99]: https://twitter.com/epakskape/status/862745436158697472
208 | [100]: https://twitter.com/epakskape/status/873042557705478145
209 | [101]: https://twitter.com/epakskape/status/875077002599911424
210 | [102]: https://twitter.com/epakskape/status/875429831755800576
211 | [103]: https://twitter.com/JosephBialek/status/875427627242209280
212 | [104]: https://twitter.com/markwo/status/879759558830243840
213 | [105]: https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update/
214 | [106]: https://twitter.com/aionescu/status/876482815784779777
215 | [107]: https://twitter.com/epakskape/status/879702034403868672
216 | [108]: https://twitter.com/aionescu/status/930233034908909568
217 | [109]: https://twitter.com/aall86/status/930501861286797312
218 | [110]: https://twitter.com/aionescu/status/930412525111296000
219 | [111]: https://twitter.com/aionescu/status/930508620529152000
220 | [112]: https://twitter.com/aionescu/status/943663406854184962?s=03
221 | [113]: https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/
222 | [114]: https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html
223 | [115]: https://msrc-blog.microsoft.com/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/
224 | [116]: https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/
225 | [117]: https://twitter.com/OSRDrivers/status/956629786037833730
226 | [118]: https://twitter.com/epakskape/status/1007316208087994368
227 | [119]: https://twitter.com/dwizzzleMSFT/status/1011333893302022146
228 | [120]: https://twitter.com/epakskape/status/1022557117998231552
229 | [121]: https://twitter.com/aionescu/status/1042445591861710848
230 | [122]: https://twitter.com/epakskape/status/1042455403349471232
231 | [123]: https://twitter.com/epakskape/status/1055881905961193472
232 | [124]: https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
233 | [125]: https://twitter.com/JosephBialek/status/1062774315098112001
234 | [126]: https://twitter.com/aionescu/status/1066718242406891520
235 | [127]: https://googleprojectzero.blogspot.com/2018/12/on-vbscript.html
236 | [128]: https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/#rwFwvJ9JSX18pj2h.97
237 | [129]: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
238 | [130]: https://twitter.com/_arkon/status/1084597049788649472
239 | [131]: https://medium.com/@ashabdalhalim/a-light-on-windows-10s-object-header-typeindex-value-e8f907e7073a
240 | [132]: https://phxtechsol.com/2018/09/27/skream-kernel-mode-exploits-mitigations-for-the-rest-of-us/
241 | [133]: https://twitter.com/Liran_Alon/status/1134884485068201985
242 | [134]: https://github.com/dwizzzle/Presentations/blob/master/Bluehat%20Shanghai%20-%20Advancing%20Windows%20Security.pdf
243 | [135]: https://twitter.com/epakskape/status/997527812096475136
244 | [136]: https://twitter.com/mamyun/status/1028086646049202176
245 | [137]: https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/
246 | [138]: https://medium.com/@philiptsukerman/bypassing-the-microsoft-windows-threat-intelligence-kernel-apc-injection-sensor-92266433e0b0
247 | [139]: https://twitter.com/PhilipTsukerman/status/1176482333869957120
248 | [140]: https://twitter.com/JosephBialek/status/1176982389802729472
249 | [141]: https://twitter.com/aionescu/status/1179702939767595008
250 | [142]: https://techcommunity.microsoft.com/t5/Virtualization/Virtualization-Based-Security-Enabled-by-Default/ba-p/890167
251 | [143]: https://twitter.com/amarsaar/status/998649527681904640
252 | [144]: https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/
253 | [145]: https://twitter.com/dwizzzleMSFT/status/1198277219254038528
254 | [146]: https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf
255 | [147]: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later-
256 | [148]: https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/
257 | [149]: https://www.coresecurity.com/corelabs-research/publications/windows-smep-bypass-us
258 | [150]: http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html
259 | [151]: http://blog.ptsecurity.com/2012/09/bypassing-intel-smep-on-windows-8-x64.html
260 | [152]: https://labs.bluefrostsecurity.de/blog/2020/01/07/cve-2019-1215-analysis-of-a-use-after-free-in-ws2ifsl/
261 | [153]: http://www.uninformed.org/?v=10&a=2&t=pdf
262 | [154]: https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-Slides.pdf
263 | [155]: https://www.gatewatcher.com/en/news/blog/windows-kernel-pool-spraying
264 | [156]: https://census-labs.com/media/windows_10_rs2_rs3_exploitation_primitives.pdf
265 | [157]: https://twitter.com/epakskape/status/1237490441827713025
266 | [158]: https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf
267 | [159]: https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf
268 | [160]: https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit?pref=2&pli=1 "BypassAslrWin10.pdf"
269 | [161]: https://techcommunity.microsoft.com/t5/windows-kernel-internals/understanding-hardware-enforced-stack-protection/ba-p/1247815
270 | [161-2]: https://twitter.com/epakskape/status/1242481897692774400
271 | [161-3]: https://twitter.com/mamyun/status/1246316534206623746
272 | [162]: https://msrc-blog.microsoft.com/2020/05/13/solving-uninitialized-stack-memory-on-windows/
273 | [162-2]: https://twitter.com/JosephBialek/status/1260616644721696769
274 | [163]: https://twitter.com/epakskape/status/1262444520144134154
275 | [164]: http://www.icas.no/no/filer/DisableDigitalDriverSigninginWindows7Vista.pdf
276 | [165]: https://twitter.com/PetriFeed/status/1283401869172367360
277 | [165-2]: https://petri.com/extreme-flow-guard-xfg-and-kernel-data-protection-kdp-coming-to-windows-10
278 | [166]: https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
279 | [167]: https://www.crowdstrike.com/blog/state-of-exploit-development-part-1/
280 | [168]: https://www.trendmicro.com/en_us/research/16/j/control-flow-guard-improvements-windows-10-anniversary-update.html
281 | [169]: https://twitter.com/dwizzzleMSFT/status/1267507875619848198
282 | [170]: https://twitter.com/waleedassar/status/1270550282695585792
283 | [171]: https://twitter.com/JosephBialek/status/1275912119301451777
284 | [172]: https://twitter.com/JosephBialek/status/1278050198611046401
285 | [172-2]: https://labs.bluefrostsecurity.de/blog/2020/06/30/meltdown-reloaded-breaking-windows-kaslr/
286 | [173]: https://twitter.com/JosephBialek/status/1278749937811853312
287 | [173-2]: https://msrc-blog.microsoft.com/2020/07/02/solving-uninitialized-kernel-pool-memory-on-windows/
288 | [174]: https://twitter.com/aall86/status/1280920343033507840
289 | [174-2]: https://www.microsoft.com/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/
290 | [175]: https://twitter.com/zwclose/status/1281230678634487809
291 | [175-2]: https://twitter.com/daniel_bilar/status/1281302366231429121
292 | [176]: https://twitter.com/aionescu/status/1284171742940930049
293 | [177]: https://twitter.com/aionescu/status/1285225032344641536
294 | [177-2]: https://windows-internals.com/secure-pool/
295 | [178]: https://twitter.com/AmarSaar/status/1285323905046065153
296 | [178-2]: https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Evaluating%20the%20feasibility%20of%20enabling%20SMAP%20for%20the%20Windows%20kernel.pdf
297 | [179]: https://community.osr.com/discussion/292216/serious-bug-in-exallocatepoolzero-in-wdk-2004
298 | [180]: https://twitter.com/33y0re/status/1296575402719301633
299 | [180-2]: https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/
300 | [181]: https://twitter.com/33y0re/status/1297546151034576903
301 | [181-2]: https://connormcgarr.github.io/examining-xfg/
302 | [182]: https://www.osr.com/blog/2020/07/14/bug-in-new-function-exallocatepoolzero-results-in-security-vulnerability-and-crashes/
303 | [182-2]: https://twitter.com/0vercl0k/status/1313348326515974145
304 | [183]: https://twitter.com/fdfalcon/status/1326916465027657728
305 | [183-2]: https://blog.quarkslab.com/how-the-msvc-compiler-generates-xfg-function-prototype-hashes.html
306 | [184]: https://twitter.com/AmarSaar/status/1331744299575341061
307 | [185]: https://community.osr.com/discussion/280354/windows-kernel-writeable-and-executable-pages
308 | [186]: https://bsodtutorials.wordpress.com/2013/12/16/virtual-to-physical-address-translation-part-2/
309 | [187]: https://twitter.com/OSRDrivers/status/1347561423166169089
310 | [187-2]: https://www.osr.com/blog/2021/01/07/mitigations-exallocatepoolzero-security-vulnerability/
311 | [188]: https://twitter.com/AmarSaar/status/1357000851013910528
312 | [188-2]: https://github.com/saaramar/Deterministic_LFH
313 | [189]: https://twitter.com/AmarSaar/status/1365793698777300998
314 | [190]: https://web.archive.org/web/20160422073331/https://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx
315 | [191]: https://dl.packetstormsecurity.net/papers/bypass/defeating-w2k3-stack-protection.pdf
316 | [192]: https://support.microsoft.com/en-us/topic/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems-8d4595f7-827f-72ee-8c34-fa8e0fe7b915
317 | [193]: https://securityboulevard.com/2020/12/a-modern-exploration-of-windows-memory-corruption-exploits-part-i-stack-overflows/
318 | [194]: https://docs.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?redirectedfrom=MSDN&view=msvc-160
319 | [195]: https://msrc-blog.microsoft.com/2009/03/16/gs-cookie-protection-effectiveness-and-limitations/
320 | [196]: https://twitter.com/dwizzzleMSFT/status/1187047446867636225
321 | [197]: https://devblogs.microsoft.com/cppblog/addresssanitizer-asan-for-windows-with-msvc/
322 | [198]: https://twitter.com/0vercl0k/status/1381486982753320960
323 | [199]: https://iamelli0t.github.io/2021/04/10/RPC-Bypass-CFG
324 | [200]: https://windows-internals.com/cet-on-windows/
325 | [201]: https://windows-internals.com/cet-updates-cet-on-xanax/
326 | [202]: https://twitter.com/Blomster81/status/1387783529350770689
327 | [203]: https://www.offensive-security.com/offsec/intel-cet-in-action/
328 | [204]: https://www.offensive-security.com/offsec/extended-flow-guard/
329 | [205]: https://twitter.com/tiraniddo/status/1416973591279661056
330 | [206]: https://msrc-blog.microsoft.com/2020/08/17/control-flow-guard-for-clang-llvm-and-rust/
331 | [207]: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-windows-defender-application-guard
332 | [208]: https://docs.microsoft.com/en-us/windows-hardware/drivers/display/user-mode-display-drivers
333 | [209]: https://github.com/microsoft/Windows-Driver-Frameworks
334 | [210]: https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/overview-of-the-umdf
335 | [211]: https://channel9.msdn.com/Blogs/Charles/Peter-Wieland-User-Mode-Driver-Framework
336 | [212]: https://web.archive.org/web/20210729235750/https://twitter.com/mavillon1/status/1420896368818806788
337 | [213]: https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/
338 | [214]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE37dMC
339 | [215]: https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/
340 | [216]: https://conference.hitb.org/hitbsecconf2018ams/materials/D1%20COMMSEC%20-%20Saif%20Elsherei%20and%20Ian%20Kronquist%20-%20The%20Life%20&%20Death%20of%20Kernel%20Object%20Abuse.pdf
341 | [217]: https://blog.quarkslab.com/reverse-engineering-the-win32k-type-isolation-mitigation.html
342 | [218]: https://speakerdeck.com/scwuaptx/windows-kernel-heap-segment-heap-in-windows-kernel-part-1
343 | [219]: https://kb.firedaemon.com/support/solutions/articles/4000106823-manually-enabling-interactive-services-interactive-service-detection-and-session-0
344 | [220]: https://docs.microsoft.com/en-us/answers/questions/27517/is-there-any-workaround-in-win10-to-allow-service.html
345 | [221]: https://kb.firedaemon.com/support/solutions/articles/4000123189
346 | [222]: https://documents.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
347 | [223]: https://ynwarcs.github.io/Win11-24H2-CFG
348 | 


--------------------------------------------------------------------------------