|
>= Windows XP SP2 and >= Windows Server 2003 SP1
|
DEP in userland and kernel land
|
1 2 167
|
|
>= Windows XP SP2 and >= Windows Server 2003 SP1
|
Non-executable SharedUserData
|
3
|
|
>= Windows Vista
|
Integrity Levels (IL)
|
4
|
|
>= Windows Vista
|
ASLR
|
5 5-2 167
|
|
>= Windows Vista
|
User-mode Drive Framework (now in WDF) to be able to write user space only drivers
|
208 209 210 211
|
|
>= Windows XP SP2 with physical memory 508MB+ or >= Windows Vista
|
Delayed free list
|
158 153 154 155 156
|
|
Any 64-bit Windows
|
PagedPool is ReadWrite only (NX enabled)
|
185 186
|
|
>= Windows Vista
|
SMB default configuration does not allow anonymous login to named pipes
|
6
|
|
Visual Studio 2003 >= XXX
|
SafeSEH
|
7 190
|
|
Visual Studio 2003 >= XXX
|
GS stack cookie protection
|
194 195
|
|
>= Windows Server 2008 (enabled by default) and >= Windows Vista SP1 (disabled by default). Disabled by default on workstation < Windows 10 v1709 and enabled by default on server versions.
|
Structured Exception Handling Overwrite Protector (SEHOP)
|
191 7 8 192 193
|
|
>= Internet Explorer 7 and >= Windows Vista
|
Protected Mode (PM) - Low IL
|
9
|
|
Windows Vista? 7?
|
Kernel ASLR (KASLR)
|
10 11 160
|
|
>= Internet Explorer 10 and >= Windows 8
|
Enhanced Protected Mode (EPM) - AppContainer
|
12 13 14
|
|
>= Internet Explorer 10 and >= Windows 8
|
ForceASLR
|
15
|
|
>= Windows 8, 64-bit processes
|
High Entropy ASLR (HEASLR)
|
16 17
|
|
>= Internet Explorer 10 and >= Windows 8
|
VTGuard
|
18 19
|
|
Windows 7
|
Safe Unlinking in the kernel pool allocator
|
20
|
|
Windows 8 or 8.1?
|
No-Execute (NX) Page Table Entries (PTE)
|
159
|
|
Windows 8
|
Safe Unlinking in the linked lists used in the kernel
|
21 22
|
|
>= Windows 8
|
SMB default configuration does not allow anonymous login to IP(IPC may be accessible but most commands cannot be used)
|
23
|
|
Windows 8
|
Supervisor Mode Execution Prevention (SMEP)
|
24 149 150 151 167
|
|
Windows 8 32-bit/64-bit and backported to Vista+ 64-bit
|
NULL page mitigation
|
25 26 27 28 29 170
|
|
Windows 8/8.1 (Server 2012) - patch XXX??
|
HAL non executable (NX)
|
30
|
|
Windows 8
|
No-Execute (NX) Nonpaged Pool
|
31 32 33
|
|
<= Internet Explorer 10
|
Memory Protector (MP)
|
34
|
|
Edge and Internet Explorer 11
|
MemGC
|
35
|
|
>= Windows 8.1
|
ObTypeIndexTable Index 0 hardening
|
36
|
|
>= Windows 8.1 32-bit/64-bit (update KB3000850) or >= Office 16.0.7341.2032 or compiled with >= VS2015
|
Control Flow Guard (CFG) a.k.a. Forward-edge CFI (Integrity)
|
37 38 39 40 41 42 43 44 45 46 47 48 49 50 146 166 167 168 198 199 206
|
|
?
|
Isolated Heap (only HTML/SVG/etc. elements accessible from JS, not helper/smaller objects)
|
51
|
|
>= Edge and Windows 10 v???
|
Win32k syscall filter
|
52 53 54 55 56 57 58 59 60
|
|
Windows Vista
|
Kernel-Mode Code Signing (KMCS) a.k.a Digital Driver Signing
|
147 164
|
|
Windows Vista
|
Kernel Patch Protection (KPP) aka PatchGuard
|
148
|
|
Windows 10 1703 or 1607 >= 14332 (August 2016)
|
Page Table Entry (PTE) location ramdomized (full KASLR)
|
61 62 63 64 65 180 180-2
|
|
>= Windows 10 1809 (Pro/Enterprise) and >= Edge 77
|
Application Guard for Edge
|
66 67 207
|
|
Windows 10/Edge >= XX/XX/2016???
|
Virtual Machines (VM) for Edge
|
68
|
|
Windows 10 >= XX/XX/2016???
|
Services process isolation (out of SVCHOST.EXE)
|
69
|
|
Windows 10 >= XX/XX/2016???
|
Shadow stack
|
70 71
|
|
Windows 10/Edge >= XX/XX/2016???
|
Prohibit dynamic code (VirtualAlloc RWX)
|
72 73
|
|
Windows 10/Office 2016 (Version 16.11 Build 7571.2075)
|
Forbid child to create process
|
74
|
|
Windows 10/Edge
|
Out-of-process JIT
|
75 76
|
|
Windows 10 v1607 (Build 14393)
|
NULL SecurityDescriptor kernel mitigation
|
77 78
|
|
Windows 10 (Build 15002)
|
Exports are invalid CFG icall
|
79
|
|
Windows 10 (Build 15021 / Removed in Build 15031)
|
Return Flow Guard (RFG)
|
80 81 82 83 84
|
|
Windows 10 (Build 15025)
|
Strict CFG
|
85 86
|
|
Windows 10 (Build 1703 Creators Update)
|
kCFG
|
87 152
|
|
Windows 10 (Build ?)
|
Font parsing restricted to AppContainer
|
88 89
|
|
Windows 10 (Build 16179)
|
Break LFH deterministic layouts
|
90 91 188 188-2
|
|
Windows 10 64-bit (1703 Creators Update) (April 2017)
|
HAL randomized / No HAL Heap static mapping
|
92 93
|
|
Internet Explorer 11
|
Disable VBScript
|
94 95 96
|
|
Windows 10 (1703 Creators Update)
|
Arbitrary Code Guard (ACG) Enabled with PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON. Enabled by default in Edge only under certain conditions
|
97 98 99 180 180-2 213
|
|
Windows 10 (16215)
|
Arbitrary Code Guard and Code Integrity Guard for most svchost.exe
|
100
|
|
Windows 10 (16215)
|
Isolated kernel stacks
|
101
|
|
Windows 10 (?)
|
BufferedIO output buffer is always zero'd
|
102 103
|
|
Windows 10 RS3 (?)
|
EMET mitigations added to Win10 (Windows Defender Exploit Guard, etc.)
|
104 105 106 107
|
|
Windows 10 RS4
|
Split kernel/page directory tables
|
108 109 110
|
|
Windows 10 ???
|
Fonts in userland and appcontainerized
|
111
|
|
Windows 10 RS4 (17063)
|
SGX2 Support (EAUG, EMODPR, etc)
|
112
|
|
Windows 10 ???
|
Kernel Virtual Address (KVA) Shadow (== KPTI)
|
113 114 172 172-2
|
|
Windows 10 ???
|
Mitigations for speculative execution side channel vulnerabilities
|
115
|
|
Visual Studio 2017 version 15.5.5 or 15.6 Preview 4?
|
/Qspectre compiler option
|
116 117
|
|
Windows 10 build 17692 (fast ring) (June 2018)
|
WPAD JavaScript sandboxing in AppContainer
|
118
|
|
Windows 10 Redstone 5 (June 2018)
|
Virtualization Based Security (VBS) enables Hypervisor Code Integrity (HVCI) and Driver Signature Enforcement (DSE) => block Capcom rootkit/other drivers
|
119 180 180-2
|
|
Windows 10 Build 17723 (Fast Ring) and 18204 (Skip Ahead)
|
heap-backed pool allocator (with randomization)
|
120
|
|
Windows 10 Build 19H1
|
Limited Supervisor Mode Access Prevention (SMAP) in paths handling DISPATCH_LEVEL + interrupts
|
121 122
|
|
Windows 10, version 1703
|
Sandboxed Windows Defender (opt-in)
|
123 124
|
|
>= Windows 10 v1709
|
Structured Exception Handling Overwrite Protector (SEHOP) enabled by default
|
193
|
|
Windows 10 WIPFast build or compiled with /kernel
|
InitAll compiler feature. No uninitialized Plain-old-data (POD) structs on the stack
|
125 126 163
|
|
Windows 10 Fall Creators Update (2017)
|
VBScript execution disabled in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default
|
127 128
|
|
Windows 10 Pro or Enterprise Insider build 18305
|
Windows Sandbox (run any application in isolation)
|
129 130
|
|
Windows 10 build ??? (after 16299)
|
Windows Object Type encoding
|
131 132
|
|
Windows 10 build ???
|
eXtended Control Flow Guard (XFG): Validates call-targets by hash on target type
|
133 134 180 180-2 181 181-2 183 183-2 204 214
|
|
Windows 10 build 17672
|
Kernel pool moving towards Low Fragmentation Heap algorithm
|
135 136
|
|
Windows 10 1809 build ???
|
Threat-Intelligence Kernel APC Injection Sensor
|
137 138 139
|
|
Windows Insider Flight 18980
|
kernel-mode and Hyper-V automatic initialization of scalars (pointers, int, etc.)
|
140
|
|
Windows 10 ??? (Oct 2019)
|
Virtualization Based Security (VBS) enabled by default
|
141 142 180 180-2
|
|
Windows 10 1607
|
tagWND.strName primitive mitigation
|
144
|
|
Windows 10 1709
|
win32k object type isolation
|
215 216 217
|
|
Windows 10 1803
|
win32k tagWND additional r/w primitive removal
|
215
|
|
Windows 10 1809
|
win32k desktop heap user/kernel separation
|
215
|
|
Windows 10 1809
|
kLFH (disable by default)
|
143
|
|
Windows 10 1903
|
kLFH (enabled by default)
|
218
|
|
Windows 10 1903
|
Userland Control-flow Enforcement Technology (CET)
|
200 201 202 203
|
|
Windows 10 March 2020
|
Hardlink mitigation (requires FILE_WRITE_ATTRIBUTES)
|
157
|
|
Windows 10 May 2020 and supported hardware
|
eXtended Flow Guard (XFG) (improved CFG) forward-edge CFI, can use Intel CET shadow stacks (only on supported hardware)
|
145 161 161-2 161-3 165-2 214
|
|
Windows 10 ???
|
No Uninitialized Stack
|
162 162-2
|
|
Windows 10 ???
|
Extreme Flow Guard (xFG)
|
165 165-2 180 180-2 214
|
|
Windows 10 21H1
|
Kernel Data Protection (KDP)
|
165 165-2 174 174-2 175 175-2 177 177-2
|
|
Windows 10 ???
|
Vulnerable driver blocking
|
169
|
|
Windows 10 ???
|
Zeroed kernel pool allocation
|
171 173 173-2 179 182 182-2 187 187-2
|
|
Windows 10 21H1
|
Authenticated Pointers (PAC) on ARM64
|
176
|
|
Windows 10 21H1
|
Dynamic relocations to allow user shared data to be relocated
|
176
|
|
Windows 10 21H1
|
Kernel Mode TLS (Thread Local Storage) with PsTls* APIs
|
176
|
|
Windows 10 21H1
|
Kernel Control-flow Enforcement Technology (CET)
|
176 180 180-2
|
|
Visual Studio 2019 ???
|
ASan support for MSVC
|
196 197
|
|
Windows 10 ???
|
Supervisor Mode Access Prevention (SMAP)
|
178 178-2
|
|
Windows 10 ???
|
Randomized mapping of VTL0's KUSER_SHARED_DATA in ring0 VTL1
|
184 189
|
|
Windows 10 ???
|
Require graphics drivers developers to write user space only drivers
|
208
|
|
Windows 11 (Build 22000)
|
Allows not following symlink for mount points (not default yet)
|
202
|
|
Windows 11 (Build ???)
|
XTENDED_CONTROL_FLOW_GUARD, POINTER_AUTH_USER_IP, REDIRECTION_TRUST
|
212
|
|
Windows 10 / Windows Server 2016 and 2019
|
Keyboard and mouse disabled in session 0
|
219 220
|
|
Windows 10 1803 / Windows 11 / Windows Server 2019 and 2022
|
Interactive Services Detection Service (UI0Detect) binaries removed
|
221
|
