SQ14126
Detected Windows executable files that do not implement XFG vulnerability mitigation protection.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
| None | pass | low | high | None | None |
About the issueโ
Extreme Control Flow Guard (XFG) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Because the code flow integrity is verified during runtime, malicious code is less likely to be able to hijack trusted execution paths.
How to resolve the issueโ
- This mitigation option is considered an improvement to the existing control flow guard, but it is not a replacement for it. Both vulnerability mitigations can coexist in the same application, with the control flow guard mitigation used as a fallback on operating systems that do not support its extreme version. The difference between these two mitigations is most noticeable in higher-level programming languages that can discern between function pointers based on their respective signatures. In this case, the extreme control flow guard offers fine-grained code execution control.
- This vulnerability mitigation option has not yet been made available to Microsoft VisualStudio users.
Incidence statisticsโ
Not relevant for this type of issue.
Recommended readingโ
- Extreme Flow Guard (xFG) and Kernel Data Protection (KDP) Coming to Windows 10 (External resource - Petri)
- Control-flow integrity (External resource - MaskRay)
- Control Flow Guard for platform security (External resource - Microsoft)