How KCFG and KCET Redefine Control Flow Integrity in the Windows Kernel
Black Hat USA 2025 · Day 1 · Briefings
Conor McGarr of Prelude delivers a deep technical analysis of Kernel Control Flow Guard (KCFG) and Kernel Control Flow Enforcement Technology (KCET) — Microsoft's kernel-mode implementations of control flow integrity on Windows. Unlike their user-mode predecessors, these mitigations are enforced by the secure kernel and hypervisor through Virtualization-Based Security (VBS), placing their sources of truth outside the reach of a kernel-mode attacker. McGarr maps the full implementation chain, identifies current limitations and known bypasses (including IAT corruption and out-of-context returns), and traces the evolution of the cat-and-mouse game toward a future where ROP is effectively mitigated by hardware. ---
AI review
McGarr does the internals of KCFG and KCET properly — VBS architecture, SLAT enforcement, Shadow Stack management, secure system call chains. The Retpoline-as-IAT-bypass-mitigation observation is an underappreciated gem. Not groundbreaking research, but it's the definitive current reference for how kernel CFI works on Windows and what remains exploitable.