Added /cf parameter to Windows build (change in CMakelists.txt) to enable Control Flow Guard in Yubico.Nativeshims project.
There is no known vulnerability in the Yubico SDK that drives this change; it is simply a best practice for code that interacts with unsafe functions to adopt all available platform security measures for native code. This change may enable high security environments to proactively protect against unknown future vulnerabilities found in code that interacts with memory unsafe functions.
Control Flow Guard Information:
Control Flow Guard (CFG) is a robust security feature designed to counter memory corruption vulnerabilities by imposing strict limitations on code execution within an application. It significantly reduces the risk of exploits, particularly those exploiting vulnerabilities like buffer overflows. CFG builds upon previous mitigation technologies such as /GS, DEP, and ASLR, enhancing overall platform security. Its key features include preventing memory corruption and ransomware attacks, limiting server capabilities to reduce attack surface, and increasing the difficulty of exploiting arbitrary code vulnerabilities like buffer overflows.
CHANGES:
Added /cf parameter to Windows build (change in CMakelists.txt) to enable Control Flow Guard in Yubico.Nativeshims project.
There is no known vulnerability in the Yubico SDK that drives this change; it is simply a best practice for code that interacts with unsafe functions to adopt all available platform security measures for native code. This change may enable high security environments to proactively protect against unknown future vulnerabilities found in code that interacts with memory unsafe functions.
Control Flow Guard Information:
Control Flow Guard (CFG) is a robust security feature designed to counter memory corruption vulnerabilities by imposing strict limitations on code execution within an application. It significantly reduces the risk of exploits, particularly those exploiting vulnerabilities like buffer overflows. CFG builds upon previous mitigation technologies such as /GS, DEP, and ASLR, enhancing overall platform security. Its key features include preventing memory corruption and ransomware attacks, limiting server capabilities to reduce attack surface, and increasing the difficulty of exploiting arbitrary code vulnerabilities like buffer overflows.
More info:
https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard