Out Of Control: How KCFG and KCET Redefine Control Flow Integrity in the Windows Kernel

Virtual Secure Mode, or VSM, on Windows marked the most significant leap in security innovation in quite some time, allowing the hypervisor to provide unprecedented protection to the Windows OS. With VSM features like Credential Guard, preventing in-memory credential theft and Hypervisor-Protected Code Integrity (HVCI), protecting against unsigned kernel-mode code, VSM has significantly reshaped the way many offensive security practitioners and threat actors alike think about tradecraft.

In the exploitation world, similar shifts have occurred with both Control Flow Guard (CFG) and Intel Control Flow Enforcement Technology (CET) being readily available in user-mode. However, we don’t hear or read much about their kernel-mode counter parts, KCFG and KCET. Why is this if CFG and CET are both relatively well-established exploit mitigations in user-mode?

At the time when CFG in user-mode was first released, kernel mode was the highest security boundary available on Windows – therefore making the implementation of CFG, or any CFI mitigation in kernel mode, impossible. However, since we now have a higher security boundary on Windows, thanks to the hypervisor, it is now possible to robustly implement CFG and CET in the Windows kernel!

This talk will cover what kernel mode CFI would look like without the presence of a hypervisor; why KCFG and KCET rely on VTL 1; how these mitigations differ from their user-mode counterparts; known limitations which exist today, including the recent deprecation of the next iteration of CFG known as eXtended Control Flow Guard (XFG); and the future of kernel-mode exploitation on Windows in the presence of KCFG and KCET.

By:
Connor McGarr | Software Engineer, Prelude Security

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/schedule/?#out-of-control-how-kcfg-and-kcet-redefine-control-flow-integrity-in-the-windows-kernel-44726Black HatRead More