├── LICENSE ├── README.md ├── android_mitigations.md ├── arm_mitigations.md ├── chrome_mitigations.md ├── dotnet_mitigations.md ├── edge_mitigations.md ├── firefox_mitigations.md ├── freebsd_mitigations.md ├── glibc_mitigations.md ├── img └── example.png ├── iphone_mitigations.md ├── linux_mitigations.md ├── office_mitigations.md ├── openbsd_mitigations.md ├── solaris_mitigations.md └── windows_mitigations.md /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2023 NCC Group 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exploitation Mitigations 2 | 3 | The goal is to list exploitation mitigations added over time in various operating systems, software, libraries or hardware. 4 | It becomes handy to know if a given vulnerability is easily exploitable or not depending on exploitation mitigations in place. 5 | 6 | An example is the following: 7 | 8 | ![](img/example.png) 9 | 10 | ------------------------------------------------------------------------------- 11 | # Table of contents 12 | 13 | * [Supported targets](#supported-targets) 14 | * [Motivations](#motivations) 15 | * [Does my current environment have mitigation X?](#does-my-current-environment-have-mitigation-x) 16 | * [Final words](#final-words) 17 | ------------------------------------------------------------------------------- 18 | 19 | # Supported targets 20 | 21 | We currently support the following operating systems: 22 | 23 | * [Microsoft Windows](windows_mitigations.md) 24 | * [Linux](linux_mitigations.md) 25 | * [Google Android](android_mitigations.md) 26 | * [Apple iPhone OS (iOS)](iphone_mitigations.md) 27 | * [OpenBSD](openbsd_mitigations.md) 28 | * [FreeBSD](freebsd_mitigations.md) 29 | * [Oracle Solaris](solaris_mitigations.md) 30 | 31 | and the following software: 32 | 33 | * [Mozilla Firefox](firefox_mitigations.md) 34 | * [Microsoft Edge](edge_mitigations.md) 35 | * [Google Chrome](chrome_mitigations.md) 36 | * [Microsoft Office](office_mitigations.md) 37 | 38 | and the following libraries: 39 | 40 | * [glibc](glibc_mitigations.md) 41 | * [Microsoft .NET Framework](dotnet_mitigations.md) 42 | 43 | and the following hardware: 44 | 45 | * [ARM](arm_mitigations.md) 46 | 47 | # Motivations 48 | 49 | It has become challenging to follow when certain mitigations are added in an update and/or backported to some older versions of various software and hardware. 50 | 51 | Sometimes, online content becomes deprecated due to mitigation changes and it can be hard to keep up. Also, it is easy to forget after a short time if you don't work on a specific software/hardware. 52 | 53 | We have been filling this gap by tracking all the mitigations in summary tables that hold the mitigations names and linking to online references to get technical information about them. 54 | 55 | The shared information has demonstrated to be useful for several years to exploit developers. 56 | 57 | # Does my current environment have mitigation X? 58 | 59 | This is a common question any exploit developer may have when trying to develop an exploit for a given target. 60 | 61 | E.g. let's say you want to exploit a Windows kernel driver on Windows 7 x64 containing a kernel NULL pointer dereference bug. Is it exploitable? 62 | 63 | Checking our table, we read the "NULL page mitigation" was introduced in "Windows 8 32-bit/64-bit and backported to Vista+ 64-bit". Now we know it depends if our target Windows 7 x64 is up-to-date or not, more precisely, we can focus on figuring out which KB introduces this mitigation and check our target against that KB! 64 | 65 | # Final words 66 | 67 | We do accept pull requests so feel free to do so :) 68 | 69 | We do have other targets in our private pipeline too so reach out if you are interested in another particular one :) 70 | -------------------------------------------------------------------------------- /android_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Android versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | 2.3 | Binaries compiled with non-executable stack and heap | [26][26] | 6 | | 2.3 | Stack ramdomized | ? | 7 | | 4.0 | Libraries randomized | ? | 8 | | 4.0.2 | Heap randomized | ? | 9 | | unknown | Executables randomized | [24][24] | 10 | | 4.1 | default umask 0077 | ? | 11 | | 4.1 | Linker randomised | ? | 12 | | 4.1 | isolatedProcess introduction | ? | 13 | | 4.1.1 | mmap_min_addr increased to 32768 | ? | 14 | | 4.1.1 | /proc/kallsyms not available. kptr_restrict to control it. | [9][9] [10][10] [11][11] | 15 | | 4.3 | SELinux in permissive mode | ? | 16 | | 4.3 | deletion of setuid/setgid binaries | ? | 17 | | 4.3 | deletion of Linux capabilities in dans zygote/adbd | ? | 18 | | 4.4 | SELinux in enforcing mode to crucial domains | ? | 19 | | 5.0 | SELinux in enforcing mode to all domains | [12][12] | 20 | | 6.x? | isolatedApplicationData | [13][13] | 21 | | 6.x? | preventAppDataExecution | [1][1] | 22 | | N | UndefinedBehaviorSanitizer (UBSan) allowing Integer Overflow Sanitization (IntSan) in media stack | [2][2] [3][3] | 23 | | N | mediaserver containment / some media services are in their individual service processes (sandboxed) | [4][4] [5][5] | 24 | | ? | trustzone | [6][6] | 25 | | O | Privileged Access Never (PAN) emulation | [7][7] [8][8] | 26 | | O | Hardened usercopy (w/o whitelist) | [7][7] [8][8] | 27 | | O | Post-init read-only memory (__ro_after_init) | [7][7] [8][8] | 28 | | O | Kernel Address Space Layout Randomization (KASLR) | [8][8] | 29 | | O | media service processes converted into HALs | [5][5] [15][15] | 30 | | O | SECURE_DELETE on SQLite databases | [16][16] | 31 | | O | Control Flow Integrity (CFI) in select components | [3][3] | 32 | | P | Control Flow Integrity (CFI) in more components by default (media framework, NFC, Bluetooth) | [3][3] [17][17] [5][5] | 33 | | P | Kernel Control Flow Integrity (kCFI) into Android common kernel | [3][3] [14][14] | 34 | | P | Integer Overflow Sanitization (IntSan) in more libraries (libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, libreverbwrapper) and reduced performance overhead by 75% | [3][3] | 35 | | 10 | software media codecs moved into constrained sandbox in system service (mediaswcodec sandbox, based on SELinux and seccomp, no access to device drivers) | [5][5] | 36 | | 10 | LLVM's bound sanitizer (BoundSan) to fail safely when array's overflow, at compile time, enabled on 11 media codecs and Bluetooth's stack | [5][5] | 37 | | 10 | Integer Overflow Sanitization (IntSan) to fail safely when integer overflow, at compile time in all media framework | [5][5] | 38 | | 10 | LLVM's Shadow Call Stack (SCS) to protect return addresses (x18 register) in Bluetooth stack and some parts of the kernel | [5][5] | 39 | | 10 | eXecute-Only Memory (XOM) makes code unreadable for Aarch64, ARMv8.2+ and Linux 4.9+ devices | [5][5] 40 | | 10 | Scudo Hardened Allocator (resilience against UAF, double-frees, BOF, heap sprays) enabled in media extractors and codecs | [5][5] | 41 | | unknown | Stack Protector Strong | [18][18] | 42 | | unknown | RELRO/NOW | [19][19] [22][22] [23][23] | 43 | | unknown | -Wl,--fatal-warnings and -Wl,--warn-shared-textrel | [20][20] | 44 | | unknown | -D_FORTIFY_SOURCE | [21][21] | 45 | | unknown | -Werror=format-security | [25][25] | 46 | | 11 | DebugFS not present in kernel config | [27] [28] | 47 | 48 | [1]: https://android-review.googlesource.com/#/c/169950/ 49 | [2]: http://android-developers.blogspot.co.uk/2016/05/hardening-media-stack.html 50 | [3]: https://android-developers.googleblog.com/2018/06/compiler-based-security-mitigations-in.html 51 | [4]: http://android-developers.blogspot.co.uk/2016/05/hardening-media-stack.html 52 | [5]: https://android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html 53 | [6]: http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/ 54 | [7]: https://twitter.com/CopperheadOS/status/900151927610232832 55 | [8]: https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.html 56 | [9]: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=455cd5ab305c90ffc422dd2e0fb634730942b257 57 | [10]: http://insitusec.blogspot.co.uk/2013/01/kallsyms-on-android.html 58 | [11]: https://www.duosecurity.com/blog/exploit-mitigations-in-android-jelly-bean-4-1 59 | [12]: http://source.android.com/devices/tech/security/selinux/index.html 60 | [13]: https://android-review.googlesource.com/#/c/171970/ 61 | [14]: https://android-review.googlesource.com/q/topic:android-4.14-cfi 62 | [15]: https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 63 | [16]: https://twitter.com/CopperheadOS/status/900206828683964417 64 | [17]: https://android.googlesource.com/platform/build/+/e003a0a6cec52c2a8bd561673509f3a34bc5c052/target/product/cfi-common.mk 65 | [18]: https://android.googlesource.com/platform/build/+/8765b1035f813be2c26988a73cf3e9815aa5adf6 66 | [19]: https://android.googlesource.com/platform/build/+/45545761d20e1eab324b8ce302afceb9c440c2a3 67 | [20]: https://android.googlesource.com/platform/build/+/46ed4aa58b9674aadf75b4c35d0394831bbe6bad 68 | [21]: https://android-developers.googleblog.com/2017/04/fortify-in-android.html 69 | [22]: https://android.googlesource.com/platform/build/+/ecb1a565849b40ab7aa45b7fe71e24e29a059376 70 | [23]: https://android.googlesource.com/platform/build/+/233d460f21d372f964f8078b8b0d5fd17af7c6b6 71 | [24]: https://android.googlesource.com/platform/build/+/026a85b129e4540a4d8d40aace47aa0c69f609da 72 | [25]: https://android.googlesource.com/platform/build/+/d868cad8284730bd902a354a984dc57c870802fc 73 | [26]: https://android.googlesource.com/platform/build/+/2915cc3e323a9bf86e1a20b201ceb4e9529bc5a2 74 | [27]: https://twitter.com/jeffvanderstoep/status/1430824324261466115 75 | [28]: https://source.android.com/setup/start/android-11-release#debugfs -------------------------------------------------------------------------------- /arm_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in the ARM architecture. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | Armv7-A | Privileged Execute Never (PXN) (ARM's version of SMEP) | ? | 6 | | Armv8.1-A | Privileged Access Never (PAN) (ARM's version of SMAP) | [7] | 7 | | Armv8.3-A | Pointer Authentication (ensure function returns to expected location) | [1] [2] [3] [4] | 8 | | Armv8.5-A (2018) | Memory Tagging | [5] [6] | 9 | | Armv8.5-A (2018) | Branch Target Indicators (BTI) (CFI-like feature) | [5] | 10 | | Aarch64 and multiple gcc versions (2023) | GCC's -fstack-protector failed to guard dynamically-sized local variables | [8] [9] | 11 | 12 | [1]: https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a 13 | [2]: https://twitter.com/WillDeacon/status/1077940843879849986?s=03 14 | [3]: https://twitter.com/jfbastien/status/1187480501017165826 15 | [4]: https://github.com/apple/llvm-project/pull/14 16 | [5]: https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a 17 | [6]: https://en.wikichip.org/wiki/arm/mte 18 | [7]: https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/the-armv8-a-architecture-and-its-ongoing-development 19 | [8]: https://mastodon.social/@Azeria/111053168811826637 20 | [9]: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 21 | 22 | -------------------------------------------------------------------------------- /chrome_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Chrome versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | Chrome ? Linux/Android 2016 | CFI | [1] | 6 | | Chrome ? Windows 2020 | CFG | [2] [3] [8] | 7 | | Chrome ? Windows | Sandbox forced image address load randomization | [3] | 8 | | Chrome ? Windows | Sandbox win32k.sys lockdown | [3] | 9 | | Chrome ? Windows | Sandbox non-system font restriction | [3] | 10 | | Chrome ? Windows | Sandbox site isolation | [3] [7] | 11 | | Chrome ? Windows | Sandbox bottom-up ASLR | [3] | 12 | | Chrome ? Windows | Sandbox high entropy ASLR | [3] | 13 | | Chrome ? Windows | Sandbox strict handle checks | [3] | 14 | | Chrome ? Windows | Sandbox low box token | [3] | 15 | | Chrome 90 Windows | Hardware-enforced Stack Protection using Control-flow Enforcement Technology (CET) | [3] [4] [5] | 16 | | Chrome ? | site isolation | ? | 17 | | Chrome ? | Automatic stock variable initialization | ? | 18 | | Chrome ? | V8 Heap Sandbox aka Ubercage | [6] | 19 | 20 | 21 | [1]: https://www.chromium.org/developers/testing/control-flow-integrity 22 | [2]: https://bugs.chromium.org/p/chromium/issues/detail?id=584575 23 | [3]: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/design/sandbox.md#Process-mitigation-policies 24 | [4]: https://twitter.com/arw/status/1389632865852293123 25 | [5]: https://security.googleblog.com/2021/05/enabling-hardware-enforced-stack.html 26 | [6]: https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit 27 | [7]: https://security.googleblog.com/2021/07/protecting-more-with-site-isolation.html 28 | [8]: https://twitter.com/JosephBialek/status/1461480508894765058 -------------------------------------------------------------------------------- /dotnet_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Microsoft .NET framework versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | MS12-035 | check the type being set during the ISerializable.GetObjectData call is in an assembly signed with the same public key (avoid partial trust abusing round-trip serialization) | [1] | 6 | 7 | 8 | [1]: https://web.archive.org/web/20210206071224/https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf -------------------------------------------------------------------------------- /edge_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Edge versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | Edge XXX in Windows 10 1511 | Code Integrity Guard (CIG) introduced | [1][1] | 6 | | Edge XXX in Windows 10 1607 | CIG feature: Preventing child process creation | [2][2] | 7 | | Edge XXX in Windows 10 Creators Update | CIG feature: Enabling the CIG policy sooner | [2][2] | 8 | | Edge XXX in Windows 10 ??? | Arbitrary Code Guard (ACG) introduced | [2][2] | 9 | | Edge XXX in Windows 10 Insider Preview Build 16188 | Hypervisor Isolation of Edge | [3][3] [4][4] | 10 | | Edge 76.0.155.0 (Canary) in Windows 10 ??? | Super Duper Secure Mode | [5] | 11 | 12 | [1]: https://blog.mozilla.org/futurereleases/2016/12/21/update-on-multi-process-firefox/ 13 | [2]: https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/ 14 | [3]: https://twitter.com/dwizzzleMSFT/status/860179443871997953 15 | [4]: https://blogs.windows.com/windowsexperience/2017/05/04/announcing-windows-10-insider-preview-build-16188-pc-build-15210-mobile/ 16 | [5]: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ 17 | -------------------------------------------------------------------------------- /firefox_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Firefox versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | Firefox 50 (Windows only) | Sandboxing | [1][1] | 6 | | Firefox >= 56 | (some) Portions of Firefox are written in Rust (Oxidation Project) | [2][2] | 7 | | Firefox Nightly only | Site Isolation/Sandboxing (Fission Project) (Not complete) | [3][3] | 8 | 9 | [1]: https://blog.mozilla.org/futurereleases/2016/12/21/update-on-multi-process-firefox/ 10 | [2]: https://wiki.mozilla.org/Oxidation 11 | [3]: https://wiki.mozilla.org/Project_Fission -------------------------------------------------------------------------------- /freebsd_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all FreeBSD versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | ? | Address Space Layout Randomization (ASLR) | [1][1] [2][2] [3][3] | 6 | | ? | Intel SMAP/SMEP | [4][4] | 7 | 8 | [1]: https://twitter.com/FreeBSDHelp/status/1094793775941992448 9 | [2]: https://svnweb.freebsd.org/base?view=revision&revision=343964 10 | [3]: https://svnweb.freebsd.org/base?view=revision&revision=344121 11 | [4]: https://wiki.freebsd.org/SummerOfCode2014/IntelSMAPandKernelPatching -------------------------------------------------------------------------------- /glibc_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in glibc. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | glibc 2.5 | Introduce PTR_MANGLE to prevent atext() and setjmp() overwrites | [1][1] | 6 | | glibc 2.18 | Harden against PTR_MANGLE bypass in static executables | [2][2] | 7 | | glibc 2.22.90 | Harden against LD_POINTER_GUARD bypass in dynamically linked setuid binaries | [3][3] | 8 | | glibc 2.24 | Place libio vtables in a static read-only range that can be checked before execution | [4][4] [5][5] [6][6] | 9 | | glibc 2.32 | safe-linking for tcache and fastbin | [9][9] [11][11] | 10 | | glibc 2.34 | improvment for safe-linking for tcache | [7][7] [8][8] [10][10] [12][12] | 11 | 12 | [1]: https://www.sourceware.org/ml/libc-hacker/2005-12/msg00025.html 13 | [2]: http://hmarco.org/bugs/CVE-2013-4788.html 14 | [3]: http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html 15 | [4]: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=db3476aff19b75c4fdefbe65fcd5f0a90588ba51;hp=64ba17317dc9343f0958755ad04af71ec3da637b 16 | [5]: https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/ 17 | [6]: https://www.coresecurity.com/blog/sapcar-heap-buffer-overflow-crash-exploit 18 | [7]: https://twitter.com/CarlosODonell/status/1412934369774276609 19 | [8]: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc859c304898a5ec72e0ba5269ed136ed0ea10e1 20 | [9]: https://research.checkpoint.com/2020/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive/ 21 | [10]: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/ 22 | [11]: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a486d70ebcc47a686ff5846875eacad0940e41 23 | [12]: https://twitter.com/EyalItkin/status/1413057188269109254 -------------------------------------------------------------------------------- /img/example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nccgroup/exploit_mitigations/d110216dd090956b5d801c8b5a03fe36afd5fc8c/img/example.png -------------------------------------------------------------------------------- /iphone_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all iPhone versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | at least up to iPhone X | no ASLR in BootROM/iBoot (this is not a mitigation but worth mentioning) | [1][1] [2][2] | 6 | | at least up to iPhone X | UNSECURE_MEMORY at a static address in BootROM/iBoot (this is not a mitigation but worth mentioning) | [2][2] | 7 | | A9X i.e. >= iPad Pro, iPad 6th generation, iPhone 7 | W^X in BootROM/iBoot | [3][3] [4][4] | 8 | | ? | ARMv8.3-PAuth | [5][5] [6][6] | 9 | 10 | [1]: https://twitter.com/alisaesage/status/1193267324242915328 11 | [2]: http://re.alisa.sh/notes/iBoot-address-space.html 12 | [3]: https://github.com/nccgroup/exploit_mitigations/issues/1 13 | [4]: https://www.theiphonewiki.com/wiki/Application_Processor#S8001_Apple_A9X 14 | [5]: https://twitter.com/matteyeux/status/1410500155204329473 15 | [6]: https://github.com/matteyeux/darwin-xnu/blob/master/doc/vmapple_pac.md -------------------------------------------------------------------------------- /linux_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Linux versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | (optional patch) | grsecurity/PaX | [1] [2] | 6 | | Linux ? (2013) | remove %n support in vsprintf() | [61] [62] | 7 | | Linux 2.4.21-rc1 | Exec-Shield | [3] | 8 | | Linux 2.6.8 | Non-Executable Memory (NX) / DEP | [4] | 9 | | Linux 2.6.12 | kernel.randomize_va_space. Address Space Layout Randomization (ASLR). | [5] | 10 | | Linux 2.6.12 for i386 / Linux 2.6.23 for x86_64 | virtual syscalls (vsyscall) replaced by virtual Dynamic Shared Object (vDSO) | [72] | 11 | | Linux 2.6.23 | (ineffective until 2019) kernel.mmap_min_addr. NULL page mitigation. Ineffective and easily bypassable (CVE-2019-9213) until 2019. | [6] [7] [8] | 12 | | Linux 2.6.28 | kernel.kptr_restrict | [9] [10] [11] | 13 | | Linux 2.6.37 | kernel.dmesg_restrict | [12] [13] [14] | 14 | | Linux 3.0 + hardware needs support (>= Ivy Bridge architecture) | Supervisor Mode Execution Prevention (SMEP) for x86 / x86_64 architectures. | [15] [16] [17] [18] | 15 | | Linux 3.7 + hardware needs support | Supervisor Mode Access Prevention (SMAP) for x86 / x86_64 architectures. | [19] [20] | 16 | | Linux 3.7 + hardware needs support | PXN (Privileged Execute-Never). Effectively SMEP (Supervisor Mode Execution Prevention) for ARM architectures. | [21] [22] [23] | 17 | | Linux 3.14 (supported, but not enabled by default until kernel 4.12) | Kernel ASLR (KASLR) | [24] [25] | 18 | | >= clang 3.7 | Control Flow Integrity (CFI) | [26] | 19 | | Linux 4.0 (optional kernel module) | Linux Kernel Runtime Guard (LKRG). Loadable kernel module that performs runtime integrity checking. | [27] | 20 | | Linux 4.0 | pagemap: do not leak physical addresses to non-privileged userspace | [91] | 21 | | Linux 4.3 + hardware needs support | PAN (Privileged Access Never). Effectively SMAP (Supervisor Mode Access Prevention) for ARM architectures. | [28] | 22 | | Linux 4.4 | kmem accounting (SLAB_ACCOUNT) added to cred_jar cache | [93] | 23 | | Linux 4.8 | CONFIG_SLAB_FREELIST_RANDOM - freelist order randomized during initialization of a new slab (new set of pages for that region) | [83] [85] [93] | 24 | | Linux 4.11 | CONFIG_STATIC_USERMODEHELPER - prevents the overwrite of `modprobe_path` (read-only) | [79][92] | 25 | | Linux 4.11 | structleak plugin enforcing __user annotated struct zeroing | [92] | 26 | | Linux 4.13 | Compile-time and run-time protectino for finding overflows (CONFIG_FORTIFY_SOURCE) | [29] | 27 | | Linux 4.13 | Forced NULL-prefixed stack canary on 64-bit | [29] | 28 | | Linux 4.13 | randomized structure layout (manual mode only) (randstruct gcc plugin) | [29] | 29 | | Linux 4.13 | lower ELF_ET_DYN_BASE (32-bit only) | [29] | 30 | | Linux 4.13 | kill iovec exploitation trick | [86] [87] [88] | 31 | | Linux 4.14 | CONFIG_SLAB_FREELIST_HARDENED - encoded freelist next pointers | [84] | 32 | | Linux 4.14 (optional patch) | Kernel Address Isolation to have Side-channels Efficiently Removed (KAISER) | [30] [31] | 33 | | Linux 4.15 | Kernel Page Table Isolation (KPTI or PTI) (formerly KAISER) | [32] [33] [34] [35] | 34 | | Linux 4.4.144 | Spectre v1 fix | [36] [37] [38] | 35 | | Linux ? | hardened usercopy (CONFIG_HARDENED_USERCOPY) | [79] [93] | 36 | | Linux 4.16 | usercopy hardened for info leaks (CONFIG_HARDENED_USERCOPY with useroffset and usersize) | [93] | 37 | | Linux 4.16 | special-purpose caches matching sizes of general-purpose caches not mergeable with them when kmem accounting (SLAB_ACCOUNT) used for these special-purpose caches. NOTE: From 5.9 and before 5.14, kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches again mergeable with other special-purpose caches. | [93] [94] | 38 | | Linux 4.18 | allocation overflow detection helpers | [39] [40] | 39 | | Linux 4.18 | Removing open-coded multiplication from memory allocation arguments | [41] [40] | 40 | | Linux 5.1 | CR4 Pinning. Prevents modification of sensitive CR4 bits, preventing SMEP/SMAP bypass via native_write_cr4. | [42] [43] | 41 | | Linux 5.3 | Heap auto initialization | [44] [45] | 42 | | Linux 5.4 | PAC on arm64: return address signing | [46] [47] | 43 | | Linux 5.4 | Lockdown module | [63] [64] [65] | 44 | | Linux 5.4 | Automatically mitigate X86_BUG_ITLB_MULTIHIT (iTLB Multihit) | [66] [67] [68] | 45 | | Linux 5.4 | Mitigate TSX Async Abort | [67] [69] [70] [71] | 46 | | Linux ? | kernel stack base offset randomization | [50] [51] | 47 | | Linux 5.7 | SLAB free pointer moved to middle of object | | [89][89] [90][90] 48 | | Linux 5.9 | seccomp user_notif file descriptor injection | [52] [53] | 49 | | Linux 5.9 | zero-initialize stack variables with Clang | [52] [53] | 50 | | Linux 5.9 | common syscall entry/exit routines | [52] [53] | 51 | | Linux 5.9 | SLAB kfree() hardening | [52] [53] | 52 | | Linux 5.9 | new CAP_CHECKPOINT_RESTORE capability | [52] [53] | 53 | | Linux 5.9 | debugfs boot-time visibility restriction | [52] [53] | 54 | | Linux 5.9 | more seccomp architecture support | [52] [53] | 55 | | Linux 5.9 | new tasklet API | [52] [53] | 56 | | Linux 5.9 | x86 FSGSBASE implementation | [52] [53] | 57 | | Linux 5.9 | filter x86 MSR writes | [52] [53] | 58 | | Linux 5.9 | uninitialized_var() macro removed | [52] [53] | 59 | | Linux 5.9 | function pointer cast removals | [52] [53] | 60 | | Linux 5.9 | flexible array conversions | [52] [53] | 61 | | Linux 5.9 | (regression) kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches mergeable (again) with other special-purpose caches. | [93] [94] | 62 | | Linux ? | Linux Kernel Runtime Guard (LKRG) | [54] [55] [73] [74] [75] | 63 | | Linux XXX | vm.unprivileged_userfaultfd / userfaultfd() forbidden to unprivileged users | [81] [82] | 64 | | Linux 5.11 | vm.unprivileged_userfaultfd / userfaultfd() restrict unprivileged users to handle faults in user space | [77] [80] | 65 | | Linux 5.13 | randomize #kernel stack offset each syscall | [56] [57] | 66 | | Linux 5.13 | /dev/kmem removed entirely | [58] [59] [60] | 67 | | Linux 5.14 | kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches not mergeable (again) with other special-purpose caches. | [93] [94] | 68 | | Linux TDB | Function Granular KASLR (FGKASLR) |[48] [49] [76] [78] [89] | 69 | | Linux XXX | SLAB_RANDOM (or slab_rand?) | XXX | 70 | | Linux XXX | SLAB_HARDENED | XXX | 71 | | Linux XXX | CONFIG_SLAB_MERGE_DEFAULT | XXX | 72 | | Linux XXX | CONFIG_SHUFFLE_PAGE_ALLOCATOR | XXX | 73 | | Linux TDB | Randomized slab caches for kmalloc() | [95] | 74 | | Ubuntu 24.04 | Unprivileged user namespace restrictions | [96] [97] | 75 | 76 | [1]: https://grsecurity.net/ 77 | [2]: https://github.com/hardenedlinux/hardenedlinux_profiles 78 | [3]: http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield 79 | [4]: https://lwn.net/Articles/422487/ 80 | [5]: https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/ 81 | [6]: https://wiki.debian.org/mmap_min_addr 82 | [7]: https://lwn.net/Articles/342330/ 83 | [8]: https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2 84 | [9]: https://marc.info/?l=linux-kernel&m=129306980917336&w=2 85 | [10]: https://sysctl-explorer.net/kernel/kptr_restrict/ 86 | [11]: https://wiki.archlinux.org/index.php/Security#Restricting_access_to_kernel_pointers_in_the_proc_filesystem 87 | [12]: https://marc.info/?l=linux-kernel&m=128943183202231&w=2 88 | [13]: https://wiki.archlinux.org/index.php/Security#Restricting_access_to_kernel_logs 89 | [14]: https://www.cyberciti.biz/faq/how-to-prevent-unprivileged-users-from-viewing-dmesg-command-output-on-linux/ 90 | [15]: https://xairy.github.io/blog/2016/cve-2016-2384 91 | [16]: https://web.archive.org/web/20160803075007/https://www.ncsi.com/nsatc11/presentations/wednesday/emerging_technologies/fischer.pdf 92 | [17]: http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/ 93 | [18]: https://patents.google.com/patent/US20150199198A1/en 94 | [19]: https://xairy.github.io/blog/2016/cve-2016-2384 95 | [20]: https://lwn.net/Articles/517251/ 96 | [21]: https://grsecurity.net/recent_arm_security_improvements 97 | [22]: https://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/ 98 | [23]: https://patchwork.kernel.org/patch/5151581/ 99 | [24]: https://lwn.net/Articles/569635/ 100 | [25]: https://lwn.net/Articles/444556/ 101 | [26]: https://blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/ 102 | [27]: https://www.openwall.com/lkrg/ 103 | [28]: https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/the-armv8-a-architecture-and-its-ongoing-development 104 | [29]: https://outflux.net/blog/archives/2017/09/05/security-things-in-linux-v4-13/ 105 | [30]: https://github.com/IAIK/KAISER 106 | [31]: https://lwn.net/Articles/738975/ 107 | [32]: https://outflux.net/blog/archives/2018/01/04/smep-emulation-in-pti/ 108 | [33]: https://outflux.net/blog/archives/2018/02/05/security-things-in-linux-v4-15/ 109 | [34]: https://lwn.net/Articles/741878/ 110 | [35]: https://lwn.net/Articles/752621/ 111 | [36]: https://twitter.com/grsecurity/status/998892187185221635 112 | [37]: https://twitter.com/grsecurity/status/1022068465434279937 113 | [38]: https://www.spinics.net/lists/stable/msg214223.html 114 | [39]: https://twitter.com/kees_cook/status/1031722563267977216 115 | [40]: https://outflux.net/blog/archives/2018/08/20/security-things-in-linux-v4-18/ 116 | [41]: https://twitter.com/kees_cook/status/1031722563267977216 117 | [42]: https://www.phoronix.com/scan.php?page=news_item&px=Linux-Protect-Special-CR4-Bits 118 | [43]: https://www.openwall.com/lists/kernel-hardening/2019/02/26/1 119 | [44]: https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/ 120 | [45]: https://twitter.com/kees_cook/status/1195154558126903297 121 | [46]: https://lwn.net/ml/linux-arm-kernel/1571300065-10236-1-git-send-email-amit.kachhap@arm.com/ 122 | [47]: https://twitter.com/_trou_/status/1196768017222373378 123 | [48]: https://lore.kernel.org/kernel-hardening/20200205223950.1212394-1-kristen@linux.intel.com/ 124 | [49]: https://twitter.com/kees_cook/status/1225316867956301826 125 | [50]: https://twitter.com/kees_cook/status/1242551634934116352 126 | [51]: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/T/#md9206ba41595ae0f8c56f6b319d68580a9f3d804 127 | [52]: https://twitter.com/kees_cook/status/1379215650887901190 128 | [53]: https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/ 129 | [54]: https://twitter.com/Openwall/status/1381707683351441412 130 | [55]: https://www.openwall.com/lists/announce/2021/04/12/1 131 | [56]: https://twitter.com/kernellogger/status/1387065275376410628 132 | [57]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eea2647e74cd7bd5d04861ce55fa502de165de14 133 | [58]: https://twitter.com/kernellogger/status/1392107920410742785 134 | [59]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bbcd53c960713507ae764bf81970651b5577b95a 135 | [60]: https://lwn.net/Articles/851531/ 136 | [61]: https://twitter.com/kees_cook/status/1407145810823835649 137 | [62]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9196436ab2f713b823a2ba2024cb69f40b2f54a5 138 | [63]: https://www.zdnet.com/article/linux-to-get-kernel-lockdown-feature/ 139 | [64]: https://thenewstack.io/linux-kernel-finally-gets-its-lockdown/ 140 | [65]: https://mjg59.dreamwidth.org/55105.html 141 | [66]: https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-bonito-4.9-android10/Documentation/hw-vuln/multihit.rst 142 | [67]: https://www.phoronix.com/scan.php?page=news_item&px=iITLB-Multihit-TAA-Kernel-Code 143 | [68]: https://www.kernel.org/doc/html/v5.4/admin-guide/hw-vuln/multihit.html 144 | [69]: https://www.kernel.org/doc/html/v5.4/admin-guide/hw-vuln/tsx_async_abort.html 145 | [70]: https://access.redhat.com/articles/tsx-asynchronousabort 146 | [71]: https://seclists.org/oss-sec/2019/q4/67 147 | [72]: https://blog.linuxplumbersconf.org/2016/ocw/system/presentations/3711/original/LPC_vDSO.pdf 148 | [73]: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html 149 | [74]: https://github.com/openwall/lkrg 150 | [75]: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf 151 | [76]: https://lwn.net/Articles/824307/ 152 | [77]: https://kernelnewbies.org/Linux_5.11#Core_.28various.29 153 | [78]: https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.16-Preps-For-FGKASLR 154 | [79]: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html 155 | [80]: https://lwn.net/Articles/819834/ 156 | [81]: https://patchwork.kernel.org/project/linux-fsdevel/patch/20190319030722.12441-2-peterx@redhat.com/#22602327 157 | [82]: https://www.kernel.org/doc/Documentation/sysctl/vm.txt 158 | [83]: https://mxatone.medium.com/randomizing-the-linux-kernel-heap-freelists-b899bb99c767 159 | [84]: https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/ 160 | [85]: https://lwn.net/Articles/685047/ 161 | [86]: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html 162 | [87]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09fc68dc66f7597bdc8898c991609a48f061bed5 163 | [88]: https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html 164 | [89]: https://lore.kernel.org/linux-mm/202003051624.AAAC9AECC@keescook/t/ 165 | [90]: https://www.willsroot.io/2022/01/cve-2022-0185.html 166 | [91]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce 167 | [92]: https://outflux.net/blog/archives/2017/05/02/security-things-in-linux-v4-11/ 168 | [93]: https://duasynt.com/blog/linux-kernel-heap-feng-shui-2022 169 | [94]: http://twitter.com/andreyknvl/status/1534622298593951746 170 | [95]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c6152940584290668b35fa0800026f6a1ae05fe 171 | [96]: https://x.com/andreyknvl/status/1792301207651783021 172 | [97]: https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890 173 | -------------------------------------------------------------------------------- /office_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Microsoft Office versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | ? | Protected View | ? | 6 | | Office 2016 (version ?) | Flash, Silverlight, and Shockwave controls blocked by default | [1][1] | 7 | 8 | [1]: https://support.office.com/en-us/article/flash-silverlight-and-shockwave-controls-blocked-in-office-2016-55738f12-a01d-420e-a533-7cef1ff6aeb1 9 | 10 | -------------------------------------------------------------------------------- /openbsd_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all OpenBSD versions. 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | ? | DEP | ? | 6 | | ? | ASLR | ? | 7 | | >= OpenBSD 5.7 | Removed procfs entirely | [8][8], [9][9], [10][10] | 8 | | >= OpenBSD 5.9 | Pledge — restrict system operations | [1][1] | 9 | | >= OpenBSD 6.4 | RETGUARD to clang/amd64 | [2][2] | 10 | | OpenBSD ??? | int03 added to prologues to "disable" ROP gadgets | [2][2] | 11 | | OpenBSD 6.4 | Disable Intel Hyper Threading | [2][2] [4][4] [5][5] [6][6] [7][7] | 12 | | OpenBSD 6.4? | Misc. mitigations against speculative execution vulnerabilities | [3][3] | 13 | 14 | [1]: https://man.openbsd.org/pledge.2 15 | [2]: https://marc.info/?l=openbsd-cvs&m=152824407931917&w=2 16 | [3]: http://undeadly.org/cgi?action=article;sid=20180724072257 17 | [4]: https://www.blackhat.com/us-18/briefings/schedule/#tlbleed-when-protecting-your-cpu-caches-is-not-enough-10149 18 | [5]: https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html 19 | [6]: https://twitter.com/cynicalsecurity/status/1009298428361310208 20 | [7]: https://twitter.com/phessler/status/1009459628915281920 21 | [8]: https://www.openbsd.org/plus57.html 22 | [9]: https://github.com/golang/go/issues/19453#issuecomment-285106970 23 | [10]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/mount_procfs/ 24 | -------------------------------------------------------------------------------- /solaris_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Solaris versions. 2 | 3 | | Version (and date) | Mitigation | Platform | References | 4 | |--------------------|------------|----------|-------------------------------| 5 | | 2.6 (07/1997) | System-wide setting for non-executable stack (noexec_user_stack, NXSTACK) | SPARC | [1][1] [2][2] [3][3] | 6 | | 7 (11/1998) | Separate kernel and user address space (KPTI) | SPARC (sun4u) | [4][4] | 7 | | 9 (05/2002) | Link-time setting for non-executable stack (PT_SUNWSTACK) | SPARC | [5][5] | 8 | | 10 (03/2005) | Link-time setting for non-executable stack (PT_SUNWSTACK) | x64 | [5][5] | 9 | | 10 (03/2005) | System-wide setting for non-executable stack (noexec_user_stack, NXSTACK) | x64 | [1][1] | 10 | | 10 (03/2005) | PRIV_PROC_INFO & PRIV_PROC_SESSION privileges to limit procfs access | All | [24][24] | 11 | | 11.0.0 (11/2011) | Immutable non-global zones | All | [19][19] | 12 | | 11.1.0 (10/2012), 10U11 (01/2013) | Supervisor Mode Execution Prevention (SMEP) | Intel | [6][6] | 13 | | 11.1.0 (10/2012) | Address Space Layout Randomization (ASLR) | All | [1][1] [6][6] | 14 | | 11.1.0 (10/2012) | sxadm tool to manage mitigations | All | [1][1] [6][6] | 15 | | 11.2.0 (07/2014) | Immutable global zone | All | [20][20] | 16 | | 11.2.0 (07/2014) | Verified Boot | SPARC | [21][21] | 17 | | 11.2.8 (04/2015) | Application Data Integrity (ADI) | SPARC | [7][7] [8][8] [9][9] | 18 | | 11.3.0 (10/2015) | Non-executable heap (NXHEAP) | All | [1][1] [10][10] [11][11] | 19 | | 11.3.31 (04/2018) | Spectre V1 | All | [16][16] | 20 | | 11.4.0 (08/2018) | ADI checking for kernel heap (KADI) | SPARC | [1][1] [12][12] | 21 | | 11.4.0 (08/2018) | ADI checking for program heap (ADIHEAP) | SPARC | [1][1] [12][12] [13][13] [14][14] [18][18] | 22 | | 11.4.0 (08/2018) | ADI checking for stack (ADISTACK) | SPARC | [1][1] [12][12] [13][13] [15][15] | 23 | | 11.4.0 (08/2018) | Spectre V2 (IBPB, IBRS) | Intel | [1][1] [17][17] | 24 | | 11.4.0 (08/2018) | Kernel Page Table Isolation (KPTI) | Intel | [1][1] [17][17] | 25 | | 11.4.0 (08/2018) | Supervisor Mode Access Prevention (SMAP) | Intel | [1][1] | 26 | | 11.4.0 (08/2018) | Application Sandboxing | All | [22][22] [23][23] | 27 | | 11.4.3 (11/2018) | Level 1 Data Cache Flush (L1DF) | Intel | [1][1] [17][17] | 28 | | 11.4.3 (11/2018) | Speculative Store Bypass Disable (SSBD) | Intel | [1][1] [17][17] | 29 | | 11.4.5 (01/2019) | PRIV_PROC_SELF privilege to further limit procfs access | All | [24][24] | 30 | | 11.4.15 (11/2019) | Microarchitectural Data Sampling Avoidance (MD_CLEAR) | Intel | [1][1] [17][17] | 31 | | 11.4.18 (02/2020) | Return Stack Buffer Speculation Mitigation (RSBS) | All | [1][1] [17][17] | 32 | | 11.4.21 (05/2020) | IFU Mitigation (CVE-2018-12207) | Intel | [1][1] [17][17] | 33 | | 11.4.25 (09/2020) | TSX Disabled (TSX_DISABLE) | Intel | [1][1] [17][17] | 34 | | 11.4.30 (02/2021) | User-Mode Instruction Prevention (UMIP) | Intel | [1][1] | 35 | | 11.4.42 (02/2022) | Kernel Page Table Isolation (KPTI) | AMD | [1][1] | 36 | 37 | These mitigations are implemented in hardware, microcode, or firmware -- the 38 | entries below reflect when they were made visible as read-only extensions in 39 | sxadm, though they may be in effect but not visible with earlier OS versions 40 | running on top of mitigated hardware, microcode, or firmware. 41 | 42 | | Version (and date) | Mitigation | Platform | References | 43 | |--------------------|------------|----------|-------------------------------| 44 | | 11.4.0 (08/2018) | Spectre V2 (HW_BTI) | SPARC | [1][1] [17][17] | 45 | | 11.4.5 (01/2019) | Speculative Store Bypass Disable (SSBD) | SPARC | [1][1] [17][17] | 46 | | 11.4.9 (05/2019) | Rogue Data Cache (Meltdown) Avoidance (RDCL_NO) | Intel | [1][1] [17][17] | 47 | | 11.4.15 (11/2019) | Microarchitectural Data Sampling Avoidance (MDS_NO) | Intel | [1][1] [17][17] | 48 | | 11.4.21 (05/2020) | IFU Hardware Mitigation (IF_PSCHANGE_MC_NO) | Intel | [1][1] [17][17] | 49 | | 11.4.25 (09/2020) | TSX Asynchronous Abort (TAA) Hardware Avoidance (TAA_NO) | Intel | [1][1] [17][17] | 50 | 51 | 52 | [1]: https://docs.oracle.com/cd/E88353_01/html/E72487/sxadm-8.html 53 | [2]: https://docs.oracle.com/cd/E19455-01/806-6779/appendixa-21/index.html 54 | [3]: https://docs.oracle.com/cd/E37838_01/html/E61034/chapter2-2.html#OSTUNchapter2-26 55 | [4]: https://www.google.com/books/edition/_/r_cecYD4AKkC 56 | [5]: https://docs.oracle.com/cd/E19683-01/816-1386/chapter6-83432/index.html 57 | [6]: https://www.oracle.com/technetwork/server-storage/solaris11/documentation/solaris11-1-whatsnew-1732377.pdf 58 | [7]: https://docs.oracle.com/cd/E37069_01/html/E37085/gphwb.html 59 | [8]: https://lazytyped.blogspot.com/2017/09/getting-started-with-adi.html 60 | [9]: https://lazytyped.blogspot.com/2016/12/hardening-allocators-with-adi.html 61 | [10]: https://blogs.oracle.com/solaris/post/new-security-extensions-in-oracle-solaris-113 62 | [11]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-nx.html#scrolltoc 63 | [12]: https://docs.oracle.com/cd/E37838_01/html/E61059/gqajs.html 64 | [13]: https://lazytyped.blogspot.com/2017/09/adi-vs-rop.html 65 | [14]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-adiheap.html#scrolltoc 66 | [15]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-adistack.html#scrolltoc 67 | [16]: https://blogs.oracle.com/solaris/post/oracle-solaris-113-sru-31 68 | [17]: https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-platformsx.html#scrolltoc 69 | [18]: https://lazytyped.blogspot.com/2018/02/libcmalloc-meets-adiheap.html 70 | [19]: https://docs.oracle.com/cd/E23824_01/html/821-1460/glglv.html#scrolltoc 71 | [20]: https://docs.oracle.com/cd/E36784_01/html/E52463/golmb.html 72 | [21]: https://docs.oracle.com/cd/E36784_01/html/E52463/goioe.html#scrolltoc 73 | [22]: https://blogs.oracle.com/solaris/post/application-sandboxing-in-oracle-solaris-114 74 | [23]: http://blog.moellenkamp.org/archives/39-Labeled-Sandboxes.html 75 | [24]: https://docs.oracle.com/cd/E88353_01/html/E37853/privileges-7.html 76 | -------------------------------------------------------------------------------- /windows_mitigations.md: -------------------------------------------------------------------------------- 1 | We list mitigations added in all Windows versions (from Windows XP up to latest Windows 10). 2 | 3 | | Version (and date) | Mitigation | References | 4 | |--------------------|------------|------------------------------------------| 5 | | >= Windows XP SP2 and >= Windows Server 2003 SP1 | DEP in userland and kernel land | [1] [2] [167] | 6 | | >= Windows XP SP2 and >= Windows Server 2003 SP1 | Non-executable SharedUserData | [3] | 7 | | >= Windows Vista | Integrity Levels (IL) | [4] | 8 | | >= Windows Vista | ASLR | [5] [5-2] [167] | 9 | | >= Windows Vista | User-mode Drive Framework (now in WDF) to be able to write user space only drivers | [208] [209] [210] [211] | 10 | | >= Windows XP SP2 with physical memory 508MB+ or >= Windows Vista | Delayed free list | [158] [153] [154] [155] [156] | 11 | | Any 64-bit Windows | PagedPool is ReadWrite only (NX enabled) | [185] [186] | 12 | | >= Windows Vista | SMB default configuration does not allow anonymous login to named pipes | [6] | 13 | | Visual Studio 2003 >= XXX | SafeSEH | [7] [190] | 14 | | Visual Studio 2003 >= XXX | GS stack cookie protection | [194] [195] | 15 | | >= Windows Server 2008 (enabled by default) and >= Windows Vista SP1 (disabled by default). Disabled by default on workstation < Windows 10 v1709 and enabled by default on server versions. | Structured Exception Handling Overwrite Protector (SEHOP) | [191] [7] [8] [192] [193] | 16 | | >= Internet Explorer 7 and >= Windows Vista | Protected Mode (PM) - Low IL | [9] | 17 | | Windows Vista? 7? | Kernel ASLR (KASLR) | [10] [11] [160] | 18 | | >= Internet Explorer 10 and >= Windows 8 | Enhanced Protected Mode (EPM) - AppContainer | [12] [13] [14] | 19 | | >= Internet Explorer 10 and >= Windows 8 | ForceASLR | [15] | 20 | | >= Windows 8, 64-bit processes | High Entropy ASLR (HEASLR) | [16] [17] | 21 | | >= Internet Explorer 10 and >= Windows 8 | VTGuard | [18] [19] | 22 | | Windows 7 | Safe Unlinking in the kernel pool allocator | [20] | 23 | | Windows 8 or 8.1? | No-Execute (NX) Page Table Entries (PTE) | [159] | 24 | | Windows 8 | Safe Unlinking in the linked lists used in the kernel | [21] [22] | 25 | | >= Windows 8 | SMB default configuration does not allow anonymous login to IPC$ (IPC$ may be accessible but most commands cannot be used) | [23] | 26 | | Windows 8 | Supervisor Mode Execution Prevention (SMEP) | [24] [149] [150] [151] [167] | 27 | | Windows 8 32-bit/64-bit and backported to Vista+ 64-bit | NULL page mitigation | [25] [26] [27] [28] [29] [170] | 28 | | Windows 8/8.1 (Server 2012) - patch XXX?? | HAL non executable (NX) | [30] | 29 | | Windows 8 | No-Execute (NX) Nonpaged Pool | [31] [32] [33] | 30 | | <= Internet Explorer 10 | Memory Protector (MP) | [34] | 31 | | Edge and Internet Explorer 11 | MemGC | [35] | 32 | | >= Windows 8.1 | ObTypeIndexTable Index 0 hardening | [36] | 33 | | >= Windows 8.1 32-bit/64-bit (update KB3000850) or >= Office 16.0.7341.2032 or compiled with >= VS2015 | Control Flow Guard (CFG) a.k.a. Forward-edge CFI (Integrity) | [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [146] [166] [167] [168] [198] [199] [206] | 34 | | ? | Isolated Heap (only HTML/SVG/etc. elements accessible from JS, not helper/smaller objects) | [51] | 35 | | >= Edge and Windows 10 v??? | Win32k syscall filter | [52] [53] [54] [55] [56] [57] [58] [59] [60] | 36 | | Windows Vista | Kernel-Mode Code Signing (KMCS) a.k.a Digital Driver Signing | [147] [164] | 37 | | Windows Vista | Kernel Patch Protection (KPP) aka PatchGuard | [148] | 38 | | Windows 10 1703 or 1607 >= 14332 (August 2016) | Page Table Entry (PTE) location ramdomized (full KASLR) | [61] [62] [63] [64] [65] [180] [180-2] | 39 | | >= Windows 10 1809 (Pro/Enterprise) and >= Edge 77 | Application Guard for Edge | [66] [67] [207] | 40 | | Windows 10/Edge >= XX/XX/2016??? | Virtual Machines (VM) for Edge | [68] | 41 | | Windows 10 >= XX/XX/2016??? | Services process isolation (out of SVCHOST.EXE) | [69] | 42 | | Windows 10 >= XX/XX/2016??? | Shadow stack | [70] [71] | 43 | | Windows 10/Edge >= XX/XX/2016??? | Prohibit dynamic code (VirtualAlloc RWX) | [72] [73] | 44 | | Windows 10/Office 2016 (Version 16.11 Build 7571.2075) | Forbid child to create process | [74] | 45 | | Windows 10/Edge | Out-of-process JIT | [75] [76] | 46 | | Windows 10 v1607 (Build 14393) | NULL SecurityDescriptor kernel mitigation | [77] [78] | 47 | | Windows 10 (Build 15002) | Exports are invalid CFG icall | [79] | 48 | | Windows 10 (Build 15021 / Removed in Build 15031) | Return Flow Guard (RFG) | [80] [81] [82] [83] [84] | 49 | | Windows 10 (Build 15025) | Strict CFG | [85] [86] | 50 | | Windows 10 (Build 1703 Creators Update) | kCFG | [87] [152] | 51 | | Windows 10 (Build ?) | Font parsing restricted to AppContainer | [88] [89] | 52 | | Windows 10 (Build 16179) | Break LFH deterministic layouts | [90] [91] [188] [188-2] | 53 | | Windows 10 64-bit (1703 Creators Update) (April 2017) | HAL randomized / No HAL Heap static mapping | [92] [93] | 54 | | Internet Explorer 11 | Disable VBScript | [94] [95] [96] | 55 | | Windows 10 (1703 Creators Update) | Arbitrary Code Guard (ACG) Enabled with PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON. Enabled by default in Edge only under certain conditions | [97] [98] [99] [180] [180-2] [213] | 56 | | Windows 10 (16215) | Arbitrary Code Guard and Code Integrity Guard for most svchost.exe | [100] | 57 | | Windows 10 (16215) | Isolated kernel stacks | [101] | 58 | | Windows 10 (?) | BufferedIO output buffer is always zero'd | [102] [103] | 59 | | Windows 10 RS3 (?) | EMET mitigations added to Win10 (Windows Defender Exploit Guard, etc.) | [104] [105] [106] [107] | 60 | | Windows 10 RS4 | Split kernel/page directory tables | [108] [109] [110] | 61 | | Windows 10 ??? | Fonts in userland and appcontainerized | [111] | 62 | | Windows 10 RS4 (17063) | SGX2 Support (EAUG, EMODPR, etc) | [112] | 63 | | Windows 10 ??? | Kernel Virtual Address (KVA) Shadow (== KPTI) | [113] [114] [172] [172-2] | 64 | | Windows 10 ??? | Mitigations for speculative execution side channel vulnerabilities | [115] | 65 | | Visual Studio 2017 version 15.5.5 or 15.6 Preview 4? | /Qspectre compiler option | [116] [117] | 66 | | Windows 10 build 17692 (fast ring) (June 2018) | WPAD JavaScript sandboxing in AppContainer | [118] | 67 | | Windows 10 Redstone 5 (June 2018) | Virtualization Based Security (VBS) enables Hypervisor Code Integrity (HVCI) and Driver Signature Enforcement (DSE) => block Capcom rootkit/other drivers | [119] [180] [180-2] | 68 | | Windows 10 Build 17723 (Fast Ring) and 18204 (Skip Ahead) | heap-backed pool allocator (with randomization) | [120] | 69 | | Windows 10 Build 19H1 | Limited Supervisor Mode Access Prevention (SMAP) in paths handling DISPATCH_LEVEL + interrupts | [121] [122] | 70 | | Windows 10, version 1703 | Sandboxed Windows Defender (opt-in) | [123] [124] | 71 | | >= Windows 10 v1709 | Structured Exception Handling Overwrite Protector (SEHOP) enabled by default | [193] | 72 | | Windows 10 WIPFast build or compiled with /kernel | InitAll compiler feature. No uninitialized Plain-old-data (POD) structs on the stack | [125] [126] [163]| 73 | | Windows 10 Fall Creators Update (2017) | VBScript execution disabled in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default | [127] [128] | 74 | | Windows 10 Pro or Enterprise Insider build 18305 | Windows Sandbox (run any application in isolation) | [129] [130] | 75 | | Windows 10 build ??? (after 16299)| Windows Object Type encoding | [131] [132] | 76 | | Windows 10 build ??? | eXtended Control Flow Guard (XFG): Validates call-targets by hash on target type | [133] [134] [180] [180-2] [181] [181-2] [183] [183-2] [204] [214] [222] [223] | 77 | | Windows 10 build 17672 | Kernel pool moving towards Low Fragmentation Heap algorithm | [135] [136] | 78 | | Windows 10 1809 build ??? | Threat-Intelligence Kernel APC Injection Sensor | [137] [138] [139] | 79 | | Windows Insider Flight 18980 | kernel-mode and Hyper-V automatic initialization of scalars (pointers, int, etc.) | [140] | 80 | | Windows 10 ??? (Oct 2019) | Virtualization Based Security (VBS) enabled by default | [141] [142] [180] [180-2] | 81 | | Windows 10 1607 | tagWND.strName primitive mitigation | [144] | 82 | | Windows 10 1709 | win32k object type isolation | [215] [216] [217] | 83 | | Windows 10 1803 | win32k tagWND additional r/w primitive removal | [215] | 84 | | Windows 10 1809 | win32k desktop heap user/kernel separation | [215] | 85 | | Windows 10 1809 | kLFH (disable by default) | [143] | 86 | | Windows 10 1903 | kLFH (enabled by default) | [218] | 87 | | Windows 10 1903 | Userland Control-flow Enforcement Technology (CET) | [200] [201] [202] [203] | 88 | | Windows 10 March 2020 | Hardlink mitigation (requires FILE_WRITE_ATTRIBUTES) | [157] | 89 | | Windows 10 May 2020 and supported hardware | eXtended Flow Guard (XFG) (improved CFG) forward-edge CFI, can use Intel CET shadow stacks (only on supported hardware) | [145] [161] [161-2] [161-3] [165-2] [214] | 90 | | Windows 10 ??? | No Uninitialized Stack | [162] [162-2] | 91 | | Windows 10 ??? | Extreme Flow Guard (xFG) | [165] [165-2] [180] [180-2] [214] | 92 | | Windows 10 21H1 | Kernel Data Protection (KDP) | [165] [165-2] [174] [174-2] [175] [175-2] [177] [177-2] | 93 | | Windows 10 ??? | Vulnerable driver blocking | [169]| 94 | | Windows 10 ??? | Zeroed kernel pool allocation | [171] [173] [173-2] [179] [182] [182-2] [187] [187-2] | 95 | | Windows 10 21H1 | Authenticated Pointers (PAC) on ARM64 | [176] | 96 | | Windows 10 21H1 | Dynamic relocations to allow user shared data to be relocated | [176] | 97 | | Windows 10 21H1 | Kernel Mode TLS (Thread Local Storage) with PsTls* APIs | [176] | 98 | | Windows 10 21H1 | Kernel Control-flow Enforcement Technology (CET) | [176] [180] [180-2] | 99 | | Visual Studio 2019 ??? | ASan support for MSVC | [196] [197] | 100 | | Windows 10 ??? | Supervisor Mode Access Prevention (SMAP) | [178] [178-2] | 101 | | Windows 10 ??? | Randomized mapping of VTL0's KUSER_SHARED_DATA in ring0 VTL1 | [184] [189] | 102 | | Windows 10 ??? | Require graphics drivers developers to write user space only drivers | [208] | 103 | | Windows 11 (Build 22000) | Allows not following symlink for mount points (not default yet) | [202] | 104 | | Windows 11 (Build ???) | XTENDED_CONTROL_FLOW_GUARD, POINTER_AUTH_USER_IP, REDIRECTION_TRUST | [212] | 105 | | Windows 10 / Windows Server 2016 and 2019 | Keyboard and mouse disabled in session 0 | [219] [220] | 106 | | Windows 10 1803 / Windows 11 / Windows Server 2019 and 2022 | Interactive Services Detection Service (UI0Detect) binaries removed | [221] | 107 | 108 | [1]: https://web.archive.org/web/20160114050453/https://support.microsoft.com/en-us/kb/875352 109 | [2]: http://www.alex-ionescu.com/?p=231 110 | [3]: http://www.uninformed.org/?v=3&a=4&t=sumry 111 | [4]: https://msdn.microsoft.com/en-us/library/bb625964.aspx 112 | [5]: http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf (dead) 113 | [5-2]: https://web.archive.org/web/20190715102700/http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf 114 | [6]: https://github.com/worawit/MS17-010/blob/master/BUG.txt#L324 115 | [7]: https://web.archive.org/web/20160306082550/http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx 116 | [8]: http://blogs.technet.com/b/srd/archive/2009/11/20/sehop-per-process-opt-in-support-in-windows-7.aspx 117 | [9]: https://blogs.msdn.microsoft.com/ie/2006/02/09/protected-mode-in-vista-ie7/ 118 | [10]: https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/ 119 | [11]: https://www.coresecurity.com/blog/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-1 120 | [12]: https://securityintelligence.com/internet-explorer-ie-10-enhanced-protected-mode-epm-sandbox-research 121 | [13]: https://www.blackhat.com/docs/asia-14/materials/Yason/WP-Asia-14-Yason-Diving-Into-IE10s-Enhanced-Protected-Mode-Sandbox.pdf 122 | [14]: http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx 123 | [15]: https://blogs.msdn.microsoft.com/ie/2012/03/12/enhanced-memory-protections-in-ie10/ 124 | [16]: https://blogs.msdn.microsoft.com/ie/2012/03/12/enhanced-memory-protections-in-ie10/ 125 | [17]: https://twitter.com/epakskape/status/1116415990064197632 126 | [18]: https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf 127 | [19]: https://web.archive.org/web/20160408052558/http://download.microsoft.com/download/F/D/F/FDFBE532-91F2-4216-9916-2620967CEAF4/Software%20Vulnerability%20Exploitation%20Trends.pdf 128 | [20]: https://msrc-blog.microsoft.com/2009/05/26/safe-unlinking-in-the-kernel-pool/ 129 | [21]: https://labs.nettitude.com/blog/exploiting-a-kernel-paged-pool-buffer-overflow-in-avast-virtualization-driver/ 130 | [22]: https://msrc-blog.microsoft.com/2013/11/06/software-defense-safe-unlinking-and-reference-count-hardening/ 131 | [23]: https://github.com/worawit/MS17-010/blob/master/BUG.txt#L380 132 | [24]: https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/ 133 | [25]: https://seclists.org/fulldisclosure/2014/May/112 134 | [26]: http://www.mista.nu/research/nullpage.pdf 135 | [27]: https://blogs.technet.microsoft.com/srd/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit/ 136 | [28]: http://www.ivanlef0u.tuxfamily.org/?p=355 137 | [29]: https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/ 138 | [30]: https://www.risksense.com/wp-content/uploads/2018/05/EternalBlue_RiskSense-Exploit-Analysis-and-Port-to-Microsoft-Windows-10_v1_2.pdf 139 | [31]: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/no-execute-nonpaged-pool 140 | [32]: https://github.com/worawit/MS17-010/blob/master/BUG.txt#L447 141 | [33]: http://www.alex-ionescu.com/?p=231 142 | [34]: http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitability-of-ie-edge-crashes.aspx 143 | [35]: http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitability-of-ie-edge-crashes.aspx 144 | [36]: http://powerofcommunity.net/poc2018/nikita.pdf 145 | [37]: https://blogs.msdn.microsoft.com/vcblog/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature/ 146 | [38]: http://www.powerofcommunity.net/poc2014/mj0011.pdf 147 | [39]: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively.pdf 148 | [40]: https://twitter.com/secbughunter/status/779022926481793025 149 | [41]: https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx 150 | [42]: https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/ 151 | [43]: https://improsec.com/blog//bypassing-control-flow-guard-in-windows-10 152 | [44]: https://twitter.com/Blomster81/status/823574428579725312 153 | [45]: https://improsec.com/blog//bypassing-control-flow-guard-on-windows-10-part-ii 154 | [46]: http://lucasg.github.io/2017/02/05/Control-Flow-Guard/ 155 | [47]: https://medium.com/@mxatone/mitigation-bounty-introduction-e629168faaa3 156 | [48]: https://medium.com/@mxatone/mitigation-bounty-from-read-write-anywhere-to-controllable-calls-ca1b9c7c0130 157 | [49]: https://medium.com/@mxatone/mitigation-bounty-4-techniques-to-bypass-mitigations-2d0970147f83 158 | [50]: https://github.com/mxatone/mitigation-bounty 159 | [51]: https://twitter.com/ifsecure/status/1047935536210632706 160 | [52]: https://twitter.com/tiraniddo/status/719574422286430209 161 | [53]: https://twitter.com/Blomster81/status/831139824044212224 162 | [54]: https://improsec.com/blog//win32k-system-call-filtering-deep-dive 163 | [55]: https://twitter.com/real_redp/status/885532386930327552 164 | [56]: http://redplait.blogspot.co.uk/2017/07/win32k-calls-filtering-on-w10.html 165 | [57]: https://www.slideshare.net/PeterHlavaty/rainbow-over-the-windows-more-colors-than-you-could-expect 166 | [58]: https://github.com/CENSUS/windows_10_rs2_rs3_exploitation_primitives 167 | [59]: https://census-labs.com/media/windows_10_rs2_rs3_exploitation_primitives.pdf 168 | [60]: https://www.slideshare.net/PeterHlavaty/rainbow-over-the-windows-more-colors-than-you-could-expect 169 | [61]: https://twitter.com/aionescu/status/725388108187852800 170 | [62]: http://www.alex-ionescu.com/?p=323 171 | [63]: https://twitter.com/epakskape/status/864882030110138369 172 | [64]: https://twitter.com/codemachineinc/status/878795088201224192 173 | [65]: https://www.risksense.com/wp-content/uploads/2018/05/EternalBlue_RiskSense-Exploit-Analysis-and-Port-to-Microsoft-Windows-10_v1_2.pdf 174 | [66]: https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/ 175 | [67]: https://twitter.com/fdfalcon/status/781146017299304448 176 | [68]: https://blogs.windows.com/msedgedev/2015/08/17/windows-10-virtual-machines-now-available-on-microsoft-edge-dev/ 177 | [69]: http://www.bleepingcomputer.com/news/microsoft/windows-10-insider-preview-build-14942-for-pc-revamps-service-host/ 178 | [70]: https://twitter.com/deroko_/status/805129818840977408 179 | [71]: http://deroko.phearless.org/shadow_stack.txt 180 | [72]: https://twitter.com/epakskape/status/808903359855992832 181 | [73]: https://twitter.com/dwizzzleMSFT/status/809436747310370816 182 | [74]: https://twitter.com/epakskape/status/811354880078057472 183 | [75]: https://twitter.com/epakskape/status/811653243981811713 184 | [76]: https://github.com/Microsoft/ChakraCore/pull/1561 185 | [77]: https://twitter.com/Danny__Wei/status/807797814864420864 186 | [78]: https://labs.nettitude.com/blog/analysing-the-null-securitydescriptor-kernel-exploitation-mitigation-in-the-latest-windows-10-v1607-build-14393/ 187 | [79]: https://twitter.com/epakskape/status/818617656886497280 188 | [80]: https://twitter.com/_fkz/status/828959029418459136 189 | [81]: https://github.com/TheEragon/TinyReturnFlowGuard 190 | [82]: https://twitter.com/epakskape/status/831172683358285824 191 | [83]: https://twitter.com/epakskape/status/831178823391535104 192 | [84]: https://eyalitkin.wordpress.com/2017/08/18/bypassing-return-flow-guard-rfg/ 193 | [85]: https://twitter.com/epakskape/status/827198236276371457 194 | [86]: https://twitter.com/epakskape/status/827197694456139776 195 | [87]: https://twitter.com/dwizzzleMSFT/status/853079695520284674 196 | [88]: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10 197 | [89]: https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/ 198 | [90]: https://github.com/saaramar/Deterministic_LFH 199 | [91]: https://twitter.com/epakskape/status/857356958306676736 200 | [92]: https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/ 201 | [93]: https://www.risksense.com/wp-content/uploads/2018/05/EternalBlue_RiskSense-Exploit-Analysis-and-Port-to-Microsoft-Windows-10_v1_2.pdf 202 | [94]: https://blogs.windows.com/msedgedev/2017/04/12/disabling-vbscript-execution-in-internet-explorer-11/ 203 | [95]: https://twitter.com/JosephBialek/status/1158854357279895552 204 | [96]: https://blogs.windows.com/msedgedev/2019/08/02/update-disabling-vbscript-internet-explorer-windows-7-8/amp/?__twitter_impression=true 205 | [97]: https://twitter.com/epakskape/status/862745436158697472 206 | [98]: https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx 207 | [99]: https://twitter.com/epakskape/status/862745436158697472 208 | [100]: https://twitter.com/epakskape/status/873042557705478145 209 | [101]: https://twitter.com/epakskape/status/875077002599911424 210 | [102]: https://twitter.com/epakskape/status/875429831755800576 211 | [103]: https://twitter.com/JosephBialek/status/875427627242209280 212 | [104]: https://twitter.com/markwo/status/879759558830243840 213 | [105]: https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update/ 214 | [106]: https://twitter.com/aionescu/status/876482815784779777 215 | [107]: https://twitter.com/epakskape/status/879702034403868672 216 | [108]: https://twitter.com/aionescu/status/930233034908909568 217 | [109]: https://twitter.com/aall86/status/930501861286797312 218 | [110]: https://twitter.com/aionescu/status/930412525111296000 219 | [111]: https://twitter.com/aionescu/status/930508620529152000 220 | [112]: https://twitter.com/aionescu/status/943663406854184962?s=03 221 | [113]: https://msrc-blog.microsoft.com/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/ 222 | [114]: https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html 223 | [115]: https://msrc-blog.microsoft.com/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/ 224 | [116]: https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/ 225 | [117]: https://twitter.com/OSRDrivers/status/956629786037833730 226 | [118]: https://twitter.com/epakskape/status/1007316208087994368 227 | [119]: https://twitter.com/dwizzzleMSFT/status/1011333893302022146 228 | [120]: https://twitter.com/epakskape/status/1022557117998231552 229 | [121]: https://twitter.com/aionescu/status/1042445591861710848 230 | [122]: https://twitter.com/epakskape/status/1042455403349471232 231 | [123]: https://twitter.com/epakskape/status/1055881905961193472 232 | [124]: https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/ 233 | [125]: https://twitter.com/JosephBialek/status/1062774315098112001 234 | [126]: https://twitter.com/aionescu/status/1066718242406891520 235 | [127]: https://googleprojectzero.blogspot.com/2018/12/on-vbscript.html 236 | [128]: https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/#rwFwvJ9JSX18pj2h.97 237 | [129]: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849 238 | [130]: https://twitter.com/_arkon/status/1084597049788649472 239 | [131]: https://medium.com/@ashabdalhalim/a-light-on-windows-10s-object-header-typeindex-value-e8f907e7073a 240 | [132]: https://phxtechsol.com/2018/09/27/skream-kernel-mode-exploits-mitigations-for-the-rest-of-us/ 241 | [133]: https://twitter.com/Liran_Alon/status/1134884485068201985 242 | [134]: https://github.com/dwizzzle/Presentations/blob/master/Bluehat%20Shanghai%20-%20Advancing%20Windows%20Security.pdf 243 | [135]: https://twitter.com/epakskape/status/997527812096475136 244 | [136]: https://twitter.com/mamyun/status/1028086646049202176 245 | [137]: https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/ 246 | [138]: https://medium.com/@philiptsukerman/bypassing-the-microsoft-windows-threat-intelligence-kernel-apc-injection-sensor-92266433e0b0 247 | [139]: https://twitter.com/PhilipTsukerman/status/1176482333869957120 248 | [140]: https://twitter.com/JosephBialek/status/1176982389802729472 249 | [141]: https://twitter.com/aionescu/status/1179702939767595008 250 | [142]: https://techcommunity.microsoft.com/t5/Virtualization/Virtualization-Based-Security-Enabled-by-Default/ba-p/890167 251 | [143]: https://twitter.com/amarsaar/status/998649527681904640 252 | [144]: https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/ 253 | [145]: https://twitter.com/dwizzzleMSFT/status/1198277219254038528 254 | [146]: https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf 255 | [147]: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later- 256 | [148]: https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/ 257 | [149]: https://www.coresecurity.com/corelabs-research/publications/windows-smep-bypass-us 258 | [150]: http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html 259 | [151]: http://blog.ptsecurity.com/2012/09/bypassing-intel-smep-on-windows-8-x64.html 260 | [152]: https://labs.bluefrostsecurity.de/blog/2020/01/07/cve-2019-1215-analysis-of-a-use-after-free-in-ws2ifsl/ 261 | [153]: http://www.uninformed.org/?v=10&a=2&t=pdf 262 | [154]: https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-Slides.pdf 263 | [155]: https://www.gatewatcher.com/en/news/blog/windows-kernel-pool-spraying 264 | [156]: https://census-labs.com/media/windows_10_rs2_rs3_exploitation_primitives.pdf 265 | [157]: https://twitter.com/epakskape/status/1237490441827713025 266 | [158]: https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf 267 | [159]: https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf 268 | [160]: https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit?pref=2&pli=1 "BypassAslrWin10.pdf" 269 | [161]: https://techcommunity.microsoft.com/t5/windows-kernel-internals/understanding-hardware-enforced-stack-protection/ba-p/1247815 270 | [161-2]: https://twitter.com/epakskape/status/1242481897692774400 271 | [161-3]: https://twitter.com/mamyun/status/1246316534206623746 272 | [162]: https://msrc-blog.microsoft.com/2020/05/13/solving-uninitialized-stack-memory-on-windows/ 273 | [162-2]: https://twitter.com/JosephBialek/status/1260616644721696769 274 | [163]: https://twitter.com/epakskape/status/1262444520144134154 275 | [164]: http://www.icas.no/no/filer/DisableDigitalDriverSigninginWindows7Vista.pdf 276 | [165]: https://twitter.com/PetriFeed/status/1283401869172367360 277 | [165-2]: https://petri.com/extreme-flow-guard-xfg-and-kernel-data-protection-kdp-coming-to-windows-10 278 | [166]: https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard 279 | [167]: https://www.crowdstrike.com/blog/state-of-exploit-development-part-1/ 280 | [168]: https://www.trendmicro.com/en_us/research/16/j/control-flow-guard-improvements-windows-10-anniversary-update.html 281 | [169]: https://twitter.com/dwizzzleMSFT/status/1267507875619848198 282 | [170]: https://twitter.com/waleedassar/status/1270550282695585792 283 | [171]: https://twitter.com/JosephBialek/status/1275912119301451777 284 | [172]: https://twitter.com/JosephBialek/status/1278050198611046401 285 | [172-2]: https://labs.bluefrostsecurity.de/blog/2020/06/30/meltdown-reloaded-breaking-windows-kaslr/ 286 | [173]: https://twitter.com/JosephBialek/status/1278749937811853312 287 | [173-2]: https://msrc-blog.microsoft.com/2020/07/02/solving-uninitialized-kernel-pool-memory-on-windows/ 288 | [174]: https://twitter.com/aall86/status/1280920343033507840 289 | [174-2]: https://www.microsoft.com/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/ 290 | [175]: https://twitter.com/zwclose/status/1281230678634487809 291 | [175-2]: https://twitter.com/daniel_bilar/status/1281302366231429121 292 | [176]: https://twitter.com/aionescu/status/1284171742940930049 293 | [177]: https://twitter.com/aionescu/status/1285225032344641536 294 | [177-2]: https://windows-internals.com/secure-pool/ 295 | [178]: https://twitter.com/AmarSaar/status/1285323905046065153 296 | [178-2]: https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Evaluating%20the%20feasibility%20of%20enabling%20SMAP%20for%20the%20Windows%20kernel.pdf 297 | [179]: https://community.osr.com/discussion/292216/serious-bug-in-exallocatepoolzero-in-wdk-2004 298 | [180]: https://twitter.com/33y0re/status/1296575402719301633 299 | [180-2]: https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/ 300 | [181]: https://twitter.com/33y0re/status/1297546151034576903 301 | [181-2]: https://connormcgarr.github.io/examining-xfg/ 302 | [182]: https://www.osr.com/blog/2020/07/14/bug-in-new-function-exallocatepoolzero-results-in-security-vulnerability-and-crashes/ 303 | [182-2]: https://twitter.com/0vercl0k/status/1313348326515974145 304 | [183]: https://twitter.com/fdfalcon/status/1326916465027657728 305 | [183-2]: https://blog.quarkslab.com/how-the-msvc-compiler-generates-xfg-function-prototype-hashes.html 306 | [184]: https://twitter.com/AmarSaar/status/1331744299575341061 307 | [185]: https://community.osr.com/discussion/280354/windows-kernel-writeable-and-executable-pages 308 | [186]: https://bsodtutorials.wordpress.com/2013/12/16/virtual-to-physical-address-translation-part-2/ 309 | [187]: https://twitter.com/OSRDrivers/status/1347561423166169089 310 | [187-2]: https://www.osr.com/blog/2021/01/07/mitigations-exallocatepoolzero-security-vulnerability/ 311 | [188]: https://twitter.com/AmarSaar/status/1357000851013910528 312 | [188-2]: https://github.com/saaramar/Deterministic_LFH 313 | [189]: https://twitter.com/AmarSaar/status/1365793698777300998 314 | [190]: https://web.archive.org/web/20160422073331/https://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx 315 | [191]: https://dl.packetstormsecurity.net/papers/bypass/defeating-w2k3-stack-protection.pdf 316 | [192]: https://support.microsoft.com/en-us/topic/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems-8d4595f7-827f-72ee-8c34-fa8e0fe7b915 317 | [193]: https://securityboulevard.com/2020/12/a-modern-exploration-of-windows-memory-corruption-exploits-part-i-stack-overflows/ 318 | [194]: https://docs.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?redirectedfrom=MSDN&view=msvc-160 319 | [195]: https://msrc-blog.microsoft.com/2009/03/16/gs-cookie-protection-effectiveness-and-limitations/ 320 | [196]: https://twitter.com/dwizzzleMSFT/status/1187047446867636225 321 | [197]: https://devblogs.microsoft.com/cppblog/addresssanitizer-asan-for-windows-with-msvc/ 322 | [198]: https://twitter.com/0vercl0k/status/1381486982753320960 323 | [199]: https://iamelli0t.github.io/2021/04/10/RPC-Bypass-CFG 324 | [200]: https://windows-internals.com/cet-on-windows/ 325 | [201]: https://windows-internals.com/cet-updates-cet-on-xanax/ 326 | [202]: https://twitter.com/Blomster81/status/1387783529350770689 327 | [203]: https://www.offensive-security.com/offsec/intel-cet-in-action/ 328 | [204]: https://www.offensive-security.com/offsec/extended-flow-guard/ 329 | [205]: https://twitter.com/tiraniddo/status/1416973591279661056 330 | [206]: https://msrc-blog.microsoft.com/2020/08/17/control-flow-guard-for-clang-llvm-and-rust/ 331 | [207]: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-windows-defender-application-guard 332 | [208]: https://docs.microsoft.com/en-us/windows-hardware/drivers/display/user-mode-display-drivers 333 | [209]: https://github.com/microsoft/Windows-Driver-Frameworks 334 | [210]: https://docs.microsoft.com/en-us/windows-hardware/drivers/wdf/overview-of-the-umdf 335 | [211]: https://channel9.msdn.com/Blogs/Charles/Peter-Wieland-User-Mode-Driver-Framework 336 | [212]: https://web.archive.org/web/20210729235750/https://twitter.com/mavillon1/status/1420896368818806788 337 | [213]: https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/ 338 | [214]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE37dMC 339 | [215]: https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/ 340 | [216]: https://conference.hitb.org/hitbsecconf2018ams/materials/D1%20COMMSEC%20-%20Saif%20Elsherei%20and%20Ian%20Kronquist%20-%20The%20Life%20&%20Death%20of%20Kernel%20Object%20Abuse.pdf 341 | [217]: https://blog.quarkslab.com/reverse-engineering-the-win32k-type-isolation-mitigation.html 342 | [218]: https://speakerdeck.com/scwuaptx/windows-kernel-heap-segment-heap-in-windows-kernel-part-1 343 | [219]: https://kb.firedaemon.com/support/solutions/articles/4000106823-manually-enabling-interactive-services-interactive-service-detection-and-session-0 344 | [220]: https://docs.microsoft.com/en-us/answers/questions/27517/is-there-any-workaround-in-win10-to-allow-service.html 345 | [221]: https://kb.firedaemon.com/support/solutions/articles/4000123189 346 | [222]: https://documents.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf 347 | [223]: https://ynwarcs.github.io/Win11-24H2-CFG 348 | --------------------------------------------------------------------------------