{"id":83,"date":"2014-12-08T16:37:00","date_gmt":"2014-12-08T16:37:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/vcblog\/2014\/12\/08\/visual-studio-2015-preview-work-in-progress-security-feature\/"},"modified":"2019-02-18T18:05:09","modified_gmt":"2019-02-18T18:05:09","slug":"visual-studio-2015-preview-work-in-progress-security-feature","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cppblog\/visual-studio-2015-preview-work-in-progress-security-feature\/","title":{"rendered":"Visual Studio 2015 Preview: Work-in-Progress Security Feature"},"content":{"rendered":"

Background<\/span><\/p>\n

The Preview for Visual Studio 2015 was announced on November 12, 2014.  It includes a new, work-in-progress feature, called Control Flow Guard<\/strong>.  By simply adding a new option to your Project, the Visual C++ compiler will inject extra security checks into your binaries.  These will detect attempts to hijack your code.  The check will stop execution of your code, before the hijacker can do damage to your data or PC.<\/span><\/p>\n

This blog explains how you can experiment with Control Flow Guard <\/strong>in the Preview.  Your feedback will determine how we move forward in our release planning.<\/span><\/p>\n

For the rest of this post, I’ll abbreviate Control Flow Guard to CFG<\/strong>.<\/span><\/p>\n

How to Enable CFG<\/span><\/h2>\n

If you are building your project <\/span>from the command-line, as in: cl test.cpp<\/span> then tell both compiler (via \/d2guard4<\/span>) and linker (via \/guard:cf<\/span>) <\/span>to add CFG instrumentation, as follows:  cl \/d2guard4  test.cpp  \/link \/guard:cf<\/span><\/span>\n(Yes, \/d2guard4<\/span> is a strange name.  Going forward, we will change it – likely to \/guard:cf<\/span>, where “cf” stands for “Control Flow”.  But that is for the future)<\/span>\nIf you are building your project within Visual Studio, just make the corresponding changes in your Project’s Property Pages:<\/span>\nSo, for the compiler, click through the sequence: PROJECT|Properties|Configuration Properties|C\/C++|Command Line|Additional Options<\/span>.  In the resulting window, add \/d2guard4<\/span><\/span>\nSimilarly, for the linker, click through the sequence: PROJECT|Properties|Configuration Properties|Linker|Command Line|Additional Options<\/span>.  In the resulting window, add \/guard:cf<\/span><\/span>\nThat’s all there is to it.  You don’t need to change any source code – no restructuring, no annotations, nothing. The compiler and linker do all of the heavy lifting required – you simply direct them to do so with these new switches.<\/span><\/p>\n

How to Tell If a Binary Is CFG’d?<\/span><\/h2>\n

Run the dumpbin <\/span><\/span>tool, and specify the \/headers<\/span> and \/loadconfig<\/span> options.  <\/span>With our running example, we would say: <\/span>dumpbin \/headers \/loadconfig test.exe<\/span>.  <\/span>I have extracted the relevant sections of output and highlighted the 3 flags <\/span>to check-for in blue<\/span>, below:<\/span>\nOPTIONAL HEADER VALUES
<\/span>             10B magic # (PE32)
<\/span>                                                                                       \/\/ skipped fields here
<\/span>            C140 DLL characteristics
<\/span>                   Dynamic base
<\/span>                   NX compatible
<\/span>                   Guard<\/span>\n Section contains the following load config:
<\/span>           0000005C <\/span>size
<\/span>           004271C0 <\/span>Security Cookie
<\/span>           00425120 <\/span>Safe Exception Handler Table
<\/span>                 19 <\/span>Safe Exception Handler Count
<\/span>           0041D128 <\/span>Guard CF address of check-function pointer
<\/span>           00000000 <\/span>Reserved
<\/span>           0041D1A8 <\/span>Guard CF function table
<\/span>                 A8 <\/span>Guard CF function count
<\/span>           00003500 <\/span>Guard Flags
<\/span>                  CF Instrumented<\/span>
<\/span>                  FID table present
                  <\/span>Protect delayload IAT
                  <\/span>Delayload IAT in its own section<\/span> <\/p>\n

Feedback Please!<\/span><\/h2>\n

We would like you to try out this <\/span>feature, and give us feedback on what you find:<\/span><\/p>\n