Technology: Set PE image code region to readonly, data region to be non-executable.
Status: Production
DXE controlled by: gEfiMdeModulePkgTokenSpaceGuid.PcdImageProtectionPolicy in MdeModulePkg.dec, SMM enabled by default.
Technology: Set data region to be non-executable
Status: Production
DXE controlled by: gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy in MdeModulePkg.dec, SMM enabled by default.
Technology: mark the first 4K page to be not present to detect NULL pointer dereference
Status: Production
Controlled by: gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask in MdeModulePkg.dec.
Technology: Shuffle the loaded image
Status: Prototype
ImageShuffle is configured by PcdImageShuffleEnable. DXE prototype is at DxeCore, SMM prototype is at PiSmmCore.
Technology: Shift the data buffer - heap and stack
Status: Prototype
Randomization is configured by PcdASLRMinimumEntropyBits, DXE prototype is at DxeCore and DxeIpl, SMM prototype is at PiSmmCore.
Technology: Use guard page to detect global stack overflow.
Status: Production
DXE controlled by: gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard in MdeModulePkg.dec, SMM controlled by: gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmStackGuard in UefiCpuPkg.dec.
Technology: Use guard page to detect heap overflow.
Status: Debug
Controlled by: gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask in MdeModulePkg.dec, gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPageType in MdeModulePkg.dec, gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPoolType in MdeModulePkg.dec.
Technology: Use compiler to insert cookie to detect local stack overflow (need compiler support)
Status: Prototype
MSVC compiler stub (/GS) prototype is at GSStub.c, GCC/LLVM compiler stub (-fstack-protector-strong) prototype is at StackProtectorStub.c.
Technology: Use compiler to insert redzone to detect buffer overflow (need compiler support)
Status: Prototype, Debug
MSVC compiler stub (/RTCs) prototype is at RTCsStub.c, LLVM compiler stub (-fsanitize=address) prototype is at ASanStub.c.
Technology: Use compiler to insert runtime check for undefined behavior such as type cast. (need compiler support)
Status: Prototype, Debug
MSVC compiler stub (/RTCc) prototype is at RTCcStub.c, LLVM compiler stub (-fsanitize=undefined) protype is at UBSanStub.c.
Technology: Use compiler to insert check to detect uninitialized data read. (need compiler support)
Status: Prototype, Debug
MSVC compiler stub (/RTCu) prototype is at RTCuStub.c, LLVM (-fsanitize=memory) cannot be enabled because it does not support windows platform yet.
Technology : return address protection to defend against Return Oriented Programming
Status: SMM production, DXE prototype
SMM shadow stack is controlled by gEfiMdePkgTokenSpaceGuid.PcdControlFlowEnforcementPropertyMask in MdePkg.c, DXE shadow stack prototype is at DxeCet.
Technology : free branch protection to defend against Jump/Call Oriented Programming (need compiler support)
Status: Prototype
Prototype is at Ibt. The IBT cannot be enabled in MSVC, because the compiler does NOT support it yet.
Technology : Use compiler to insert control flow check to detect control flow attack (need compiler support)
Status: Prototype
MSVC compiler stub (/guard:cf) prototype is at CfgStub.c, LLVM compiler stub (-fsanitize=cfi) prototype is at CfiStub.c.