AD2054: EnableReturnFlowGuard¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2054 |
| Name | EnableReturnFlowGuard |
| Category | Security |
| Severity | Note |
| Applies to | PE (Windows) |
Description¶
Checks if binaries have Return Flow Guard (RFG) enabled. RFG was a planned security feature to protect return addresses, but was ultimately superseded by Intel CET Shadow Stack.
How It Works¶
The rule checks for RFG-related flags in the PE load configuration's guard flags:
IMAGE_GUARD_RF_INSTRUMENTED(0x00020000): RFG instrumentation presentIMAGE_GUARD_RF_ENABLE(0x00040000): RFG is enabledIMAGE_GUARD_RF_STRICT(0x00080000): RFG strict mode
RFG is considered enabled if either:
- Both RF_INSTRUMENTED and RF_ENABLE are set, OR
- RF_STRICT is set
Why This Matters¶
Return-Oriented Programming (ROP)¶
ROP attacks exploit the return instruction to chain together code snippets ("gadgets") that already exist in the program. By overwriting return addresses on the stack, attackers can execute arbitrary sequences of operations.
Shadow Stack Protection¶
RFG was designed to maintain a "shadow stack" of return addresses. When a function returns, the return address would be validated against this protected copy. If they don't match, the process terminates.
Current Status¶
RFG was cancelled before widespread deployment. Microsoft instead adopted Intel CET (Control-flow Enforcement Technology) which provides hardware-based shadow stack protection.
For modern Windows development, you should:
1. Use /CETCOMPAT linker option to enable CET Shadow Stack
2. See rule AD2025 for CET Shadow Stack recommendations
Why This Rule Exists¶
This rule is primarily for: - Analyzing legacy binaries that may have RFG enabled - Completeness in security feature detection - Educational purposes about return protection technologies
Performance Considerations¶
RFG was designed with low overhead, but since it's deprecated, use CET Shadow Stack instead:
CET Shadow Stack overhead:
| Metric | Impact |
|---|---|
| Runtime overhead | <1% |
| Call/return cost | ~1 cycle |
| Memory overhead | Small shadow stack per thread |
CET Shadow Stack is hardware-accelerated and has lower overhead than the planned RFG implementation.
Resolution¶
Since RFG is deprecated, focus on CET Shadow Stack instead:
Enable CET Shadow Stack (Recommended)¶
In Visual Studio¶
- Open project Properties
- Go to Linker → Advanced
- Set CET Shadow Stack Compatible to Yes