Skip to content

Mitigations

Driver Type → Attack Surface → Vuln Class → Primitive → Case Study  |  Mitigations

Mitigations are cross-cutting defenses that intersect every stage of the exploitation pipeline. Rather than fixing individual bugs, they raise the cost of exploitation by breaking assumptions that exploitation primitives rely on — preventing code execution from data pages, randomizing kernel addresses, or isolating critical structures in hypervisor-protected memory.

FIG_006 — Defense-in-Depth Stack HARDWARE NX bit, SMEP, SMAP, CET shadow stack POOL HARDENING Segment heap, pool cookies, NX pool, safe unlinking KASLR Kernel base randomization, high-entropy ASLR kCFG / kCET Forward-edge CFG, backward-edge CET shadow stack ACG Arbitrary Code Guard, W^X enforcement VBS / HVCI / KDP / SECURE POOL Hypervisor code integrity, kernel data protection VBS-protected allocations, secure kernel isolation blocks code exec from data blocks pool metadata abuse blocks hardcoded addresses blocks control flow hijack blocks dynamic code gen blocks kernel data tampering BYPASS DIFFICULTY

Each layer blocks specific primitive classes. VBS-backed protections at the top are the hardest to bypass.

Categories

Mitigation Description Bypass Difficulty
SMEP / SMAP Supervisor mode execution/access prevention Medium
kCFG / kCET Kernel control flow integrity High
VBS / HVCI Virtualization-based code integrity Very High
KDP Kernel Data Protection Very High
Pool Hardening Segment heap, pool cookies, NX pool Medium
Secure Pool VBS-protected pool allocations Very High
ACG Arbitrary Code Guard High
KASLR Kernel address space randomization Low-Medium
KASLR Bypasses Catalog of KASLR defeat techniques --

Mitigation vs. Primitive

Which mitigations block which exploitation primitives:

Pool Overflow Write-What-Where Token Swap PTE Manip Code Exec Pool Spray
SMEP / SMAP
kCFG / kCET
VBS / HVCI
KDP
Pool Hardening
Secure Pool
ACG
KASLR