Voice search, also called voice-enabled search, allows the user to use a voice to search the Internet, a website, or an app. In a broader definition, voice search includes open-domain keyword query on any information on the Internet, for example in Google Voice Search, Cortana, Siri and Amazon Echo. Voice search is often interactive, involving several rounds of interaction that allows a system to ask for clarification. Voice search is a type of dialog system. Voice search is not a replacement for typed search. Rather the search terms, experience and use cases can differ heavily depending on the input type. == Supported language == Language is the most essential factor for a system to understand, and provide the most accurate results of what the user searches. This covers across languages, dialects, and accents, as users want a voice assistant that both understands them and speaks to them understandably. While spoken and written languages differ, voice search should support natural spoken language instead of only transforming voice into text and doing a regular text search with the help speech recognition. For example, in typed search an eCommerce user can easily copy and paste an alphanumeric product code to search field, but when speaking the search terms can be very different, such as "show me the new Bluetooth headphones by Samsung". == How it works == The difference between text and voice search is not only the input type. The mechanism must include an automatic speech recognition (ASR) for input, but it can also include natural language understanding for natural spoken search queries such as "What's the population for the United States" It can include text-to-speech (TTS) or a regular display for output modalities. Users might sometimes be required to activate the search by using a wake word. Then, the search system will detect the language spoken by the user. It will then detect the keywords and context of the sentence. Lastly, the device will return results depending on its output. A device with a screen might display the results, while a device without a screen will speak them back to the searcher.
Cyborg
A cyborg () is a being with both organic and biomechatronic body parts. It is a portmanteau of cybernetic and organism. The term was coined in 1960 by Manfred Clynes and Nathan S. Kline. In contrast to biorobots and androids, the term cyborg applies to a living organism that has undergone restoration of function or enhancements of abilities due to the integration of some artificial component or technology that relies on feedback. == Description and definition == Alternative names for a cyborg include cybernetic organism, cyber-organism, cyber-organic being, cybernetically enhanced organism, cybernetically augmented organism, technorganic being, techno-organic being, and techno-organism. Unlike bionics, biorobotics, or androids, a cyborg is an organism that has restored function or, especially, enhanced abilities due to the integration of some artificial component or technology that relies on some sort of feedback, for example: prostheses, artificial organs, implants or, in some cases, wearable technology. Cyborg technologies may enable or support collective intelligence. A related idea is the "augmented human". While cyborgs are commonly thought of as mammals, including humans, the term can apply to any organism. === Placement and distinctions === D. S. Halacy's Cyborg: Evolution of the Superman (1965) featured an introduction which spoke of a "new frontier" that was "not merely space, but more profoundly the relationship between 'inner space' to 'outer space' – a bridge...between mind and matter." In "A Cyborg Manifesto", Donna Haraway rejects the notion of rigid boundaries between humanity and technology, arguing that, as humans depend on more technology over time, humanity and technology have become too interwoven to draw lines between them. She believes that since we have allowed and created machines and technology to be so advanced, there should be no reason to fear what we have created, and cyborgs should be embraced because they are part of human identities. However, Haraway has also expressed concern over the contradictions of scientific objectivity and the ethics of technological evolution, and has argued that "There are political consequences to scientific accounts of the world." === Biosocial definition === According to some definitions of the term, the physical attachments that humans have with even the most basic technologies have already made them cyborgs. In a typical example, a human with an artificial cardiac pacemaker or implantable cardioverter-defibrillator would be considered a cyborg, since these devices measure voltage potentials in the body, perform signal processing, and can deliver electrical stimuli, using a synthetic feedback mechanism to keep that person alive. Implants, especially cochlear implants, that combine mechanical modification with any kind of feedback response are also cybernetic enhancements. Some theorists cite such modifications as contact lenses, hearing aids, smartphones, or intraocular lenses as examples of fitting humans with technology to enhance their biological capabilities. The emerging trend of implanting microchips inside the body (mainly the hands), to make financial operations like a contactless payment, or basic tasks like opening a door, has been erroneously marketed as more recent examples of cybernetic enhancement. The latter has not yet seen significant traction outside niche areas in Scandinavia and in actual function is little more than a pre-programmed Radio-frequency identification (RFID) microchip encased in glass that does not interact with the human body (it is the same technology used in the microchips injected into animals for ease of identification), thus not fitting the definition of a cybernetic implant. As cyborgs currently are on the rise, some theorists argue there is a need to develop new definitions of aging. For instance, a bio-techno-social definition of aging has been suggested. The term is also used to address human-technology mixtures in the abstract. This includes not only commonly used pieces of technology such as phones, computers, the Internet, and so on, but also artifacts that are not usually considered technology; for example, pen and paper, and speech and language. When augmented with these technologies and connected in communication with people in other times and places, a person becomes capable of more than they were before. An example is a computer, which gains power by using Internet protocols to connect with other computers. Another example is a social-media bot—either a bot-assisted human or a human-assisted-bot—used to target social media with likes and shares. Cybernetic technologies thus include highways, pipes, electrical wiring, buildings, electrical plants, libraries, and other infrastructural constructs. Bruce Sterling, in his Shaper/Mechanist universe, suggested an idea of an alternative cyborg called 'Lobster', which is made not by using internal implants, but by using an external shell (e.g. a powered exoskeleton). The computer game Deus Ex: Invisible War prominently features cyborgs called Omar, Russian for 'lobster'. === Evolutionary perspective === In 1994, Hans Hass formulated a scientific view of the human-machine hybrids he called "hypercells". They can expand their biological cell body with artificial artifacts and thus expand their performance body. The theory of hypercells or Homo proteus, as Hass called the human-machine hybrid to distinguish Homo sapiens, extends Charles Darwin's theory of evolution and deals with the course of evolution beyond humans. In his 2019 book Novacene, James Lovelock used the term "cyborgs" to refer to the next generation of beings who will become the "understanders of the future" and "lead the cosmos to self-knowledge". While acknowledging the organic component in Clynes' and Kline's definition, he proposed that these cyborgs "will have designed and built themselves from the artificial intelligence systems we have already constructed", and used the term cyborg "to emphasize that the new intelligent beings will have arisen, like us, from Darwinian evolution." == Origins == The concept of a man-machine mixture was widespread in science fiction before World War II. As early as 1843, Edgar Allan Poe described a man with extensive prostheses in the short story "The Man That Was Used Up". In 1911, Jean de La Hire introduced the Nyctalope, a science fiction hero who was perhaps the first literary cyborg, in Le Mystère des XV (later translated as The Nyctalope on Mars). Nearly two decades later, Edmond Hamilton presented space explorers with a mixture of organic and machine parts in his 1928 novel The Comet Doom. He later featured the talking, living brain of an old scientist, Simon Wright, floating in a transparent case, and in all the adventures of his famous hero, Captain Future. In 1944, in the short story "No Woman Born", C. L. Moore wrote of Deirdre, a dancer, whose body was burned completely and whose brain was placed in a faceless but beautiful and supple mechanical body. In 1960, the term "cyborg" was coined by Manfred E. Clynes and Nathan S. Kline to refer to their conception of an enhanced human being who could survive in extraterrestrial environments: For the exogenously extended organizational complex functioning as an integrated homeostatic system unconsciously, we propose the term 'Cyborg'. Their concept was the outcome of thinking about the need for an intimate relationship between human and machine as the new frontier of space exploration was beginning to develop. A designer of physiological instrumentation and electronic data-processing systems, Clynes was the chief research scientist in the Dynamic Simulation Laboratory at Rockland State Hospital in New York. The term first appears in print 5 months earlier when The New York Times reported on the "Psychophysiological Aspects of Space Flight Symposium" where Clynes and Kline first presented their paper: A cyborg is essentially a man-machine system in which the control mechanisms of the human portion are modified externally by drugs or regulatory devices so that the being can live in an environment different from the normal one. Thereafter, Hamilton would first use the term "cyborg" explicitly in the 1962 short story, "After a Judgment Day", to describe the "mechanical analogs" called "Charlies," explaining that "[c]yborgs, they had been called from the first one in the 1960s...cybernetic organisms." The 1972 novel Cyborg by Martin Caidin introduced the character of bionic government agent Steve Austin, and was adapted into the popular television series The Six Million Dollar Man, which ran from 1973 to 1978. In 2001, a book titled Cyborg: Digital Destiny and Human Possibility in the Age of the Wearable computer was published by Doubleday. Some of the ideas in the book were incorporated into the documentary film Cyberman that same year. == Cyborg tissues in engineering == Cyborg tissues structured with carbon nanotubes and plan
INaturalist
iNaturalist is an American 501(c)(3) nonprofit social network of naturalists, citizen scientists, and biologists built on the concept of mapping and sharing observations of biodiversity across the globe. iNaturalist may be accessed via its website or from its mobile applications. iNaturalist includes an automated species identification tool, and users further assist each other in identifying organisms from photographs and sound recordings. As of 5 August 2025, iNaturalist users had contributed nearly 300 million observations of plants, animals, fungi, and other organisms worldwide, and 400,000 users were active in the previous 30 days. iNaturalist serves as an important resource of open data for biodiversity research, conservation, and education, describing itself as "an online social network of people sharing biodiversity information to help each other learn about nature." It is the primary application for crowd-sourced biodiversity data in places such as Mexico, southern Africa, and Australia, and the project has been called "a standard-bearer for natural history mobile applications." Most of iNaturalist's software is open source. It has contributed to over 4,000 research papers and is widely used by scientists, land managers, and conservationists worldwide. The platform has also been active in the discovery of new species and rediscovery of species previously assumed to be extinct. == History == iNaturalist began in 2008 as a UC Berkeley School of Information Master's final project of Nate Agrin, Jessica Kline, and Ken-ichi Ueda. Agrin and Ueda continued work on the site with Sean McGregor, a web developer. In 2011, Ueda began collaboration with Scott Loarie, a research fellow at Stanford University and lecturer at UC Berkeley. Ueda and Loarie are the current co-directors of iNaturalist.org. The organization merged with the California Academy of Sciences on 24 April 2014. In 2017, iNaturalist became a joint initiative between the California Academy of Sciences and the National Geographic Society. With these collaborations and growing popularity of the site since 2012, the number of participants and observations has roughly doubled each year. In 2014, iNaturalist reached 1 million observations. Later, as of October 2023, there were 181 million observations (163 million verifiable). On 11 July 2023 iNaturalist announced its status as a newly independent 501(c)(3) nonprofit organization. === Google AI controversy === On 9 June 2025 Google announced that iNaturalist would be part of its "Generative AI Accelerator". This announcement, paired with the initial lack of information on the iNaturalist site, led to outcry from many iNaturalist users in the blog comments and forum, worrying about the consequences for the environment, volunteer engagement, reliability and raised questions about the decision making within iNaturalist, while some saw the backlash as a sign that people want to resist 'corrosive technologies'. PZ Myers, a biology professor who uses iNaturalist in his teaching, published an article on his website Pharyngula stating that "any decision that drives people away and replaces them with a hallucinating bot is a bad decision". == Platforms == Users can interact with iNaturalist in the following ways: through the iNaturalist.org website, through two mobile apps: iNaturalist (iOS/Android) and Seek by iNaturalist (iOS/Android), or through partner organizations such as the Global Biodiversity Information Facility (GBIF) website. On the iNaturalist.org website, visitors can search the public dataset and interact with other people adding observations and identifications. The website provides tools for registered users to add, identify, and discuss observations, write journal posts, explore information about species, create project pages to recruit participation, and coordinate work on their topics of interest. On the iNaturalist mobile app, users can create and share nature observations to the online dataset, explore observations both nearby and around the world, and learn about different species. Seek by iNaturalist, a separate app marketed to families, requires no online account registration and all observations may remain private. Seek incorporates features of gamification, such as providing a list of nearby organisms to find and encouraging the collection of badges and participation in challenges. Seek was initially released in the spring of 2018. == Observations == The iNaturalist platform is based on crowdsourcing of observations and identifications. An iNaturalist observation records a person's encounter with an individual organism at a particular time and place. An iNaturalist observation may also record evidence of an organism, such as animal tracks, nests, or scat. The scope of iNaturalist excludes natural but inert subjects such as geologic or hydrologic features. Users typically upload photos as evidence of their findings, though audio recordings are also accepted, and such evidence is not a strict requirement. Users may share observation locations publicly, "obscure" them to display a less precise location or make the locations completely private. iNaturalist users can add identifications to each other's observations in order to confirm or improve the identification of the observation. Observations are classified as "Casual", "Needs ID" (needs identification), or "Research Grade" based on the quality of the data provided and the community identification process. Any quality of data can be downloaded from iNaturalist and "Research Grade" observations are often incorporated into other online databases such as the Global Biodiversity Information Facility and the Atlas of Living Australia. === Automated species identification === In addition to observations being identified by others in the community, iNaturalist includes an automated species identification tool, first released in 2017. Images can be identified via a computer vision model which has been trained on the large database of the observations on iNaturalist. Multiple species suggestions are typically provided with the suggestion that the software guesses to be most likely is at the top of the list. A broader taxon such as a genus or family is commonly provided if the model is unsure of the species. It is trained once or twice a year, and the threshold for species included in the training set has changed over time. It can be difficult for the model to guess correctly if the species in question is infrequently observed or hard to identify from images alone, or if the image submitted has poor lighting, is blurry, or contains multiple subjects. In February 2023, iNaturalist released v2.1 of its computer vision model, which was trained on a new source model which performed significantly better than the previous models trained using a different source model. In April 2025 iNaturalist released an updated app for iOS, changing the original version to "iNaturalist Classic." == Projects == Users have created and contributed to tens of thousands of different projects on iNaturalist. The platform is commonly used to record observations during bioblitzes, which are biological surveying events that attempt to record all the species that occur within a designated area, and a specific project type on iNaturalist. Other project types include collections of observations by location or taxon or documenting specific types of observations such as animal tracks and signs, the spread of invasive species, roadkill, fishing catches, or discovering new species. In 2011, iNaturalist was used as a platform to power the Global Amphibian and Global Reptile BioBlitzes, in which observations were used to help monitor the occurrence and distribution of the world's reptiles and amphibian species. The US National Park Service partnered with iNaturalist to record observations from the 2016 National Parks BioBlitz. That project exceeded 100,000 observations in August 2016. In 2017, the United Nations Environment Programme teamed up with iNaturalist to celebrate World Environment Day.. In 2022, Reef Ecologic teamed up with iNaturalist to celebrate World Oceans Day. === City Nature Challenge === In 2016, Lila Higgins from the Natural History Museum of Los Angeles County and Alison Young from the California Academy of Sciences co-founded the City Nature Challenge (CNC). In the first City Nature Challenge, naturalists in Los Angeles and the San Francisco Bay Area documented over 20,000 observations with the iNaturalist platform. In 2017, the CNC expanded to 16 cities across the United States and collected over 125,000 observations of wildlife in 5 days. The CNC expanded to a global audience in 2018, with 68 cities participating from 19 countries, with some cities using community science platforms other than iNaturalist to participate. In 4 days, over 17,000 people cataloged over 440,000 nature observations in urban regions around the world. In 2019, the CNC once again expanded, with 35,000 parti
System Service Descriptor Table
The System Service Descriptor Table (SSDT) is an internal dispatch table within Microsoft Windows. == Function == The SSDT maps syscalls to kernel function addresses. When a syscall is issued by a user space application, it contains the service index as parameter to indicate which syscall is called. The SSDT is then used to resolve the address of the corresponding function within ntoskrnl.exe. In modern Windows kernels, two SSDTs are used: One for generic routines (KeServiceDescriptorTable) and a second (KeServiceDescriptorTableShadow) for graphical routines. A parameter passed by the calling userspace application determines which SSDT shall be used. == Hooking == Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, hooking SSDT calls is often used as a technique in both Windows kernel mode rootkits and antivirus software. In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using race conditions to attack the products' security checks.
Intel Threat Detection Technology
Intel Threat Detection Technology (TDT) is a CPU-level technology created by Intel in 2018 to enable host endpoint protections to use a CPU's low-level access to detect threats to a system. TDT consists of multiple components including Accelerated Memory Scanning, which uses the CPU's integrated GPU to scan memory, and Advanced Platform Telemetry, which uses processor-level activity monitoring to detect unusual activity. It is supported on sixth-generation or newer Intel Core CPUs and additional capabilities were added to the 11th generation Core processors. Intel TDT is integrated into several third-party anti-malware solutions including Microsoft Defender, Check Point Harmony Endpoint, CrowdStrike Falcon, and others. == Accelerated Memory Scanning == Accelerated Memory Scanning (also referred to as "Advanced Memory Scanning") uses the CPU's integrated GPU to scan memory for malicious code, instead of using the CPU directly. This improves system responsiveness during anti-malware scanning. and lowers power consumption. Features include pattern matching, using random forest decision trees, string extraction, entropy calculation, and Euclidean clustering. == Advanced Platform Telemetry == Advanced Platform Telemetry collects CPU-level telemetry to detect uncommon activity patterns which might be indicative of malware. The telemetry data is collected from the CPU performance monitoring unit (PMU) and doesn't require a large signature database to detect malware. Instead, it uses machine-learning based correlations to identify indicators of attack For example, Microsoft Defender is able to use TDT's Advanced Platform Telemetry features to detect processor usage patterns indicative of ransomware and cryptojacking with TDT so it can detect them.
Memory color effect
The memory color effect is the phenomenon that the canonical hue of a type of object acquired through experience (e.g. the sky, a leaf, or a strawberry) can directly modulate the appearance of the actual colors of objects. Human observers acquire memory colors through their experiences with instances of that type. For example, most human observers know that an apple typically has a reddish hue; this knowledge about the canonical color which is represented in memory constitutes a memory color. As an example of the effect, normal human trichromats, when presented with a gray banana, often perceive the gray banana as being yellow - the banana's memory color. In light of this, subjects typically adjust the color of the banana towards the color blue - the opponent color of yellow - when asked to adjust its surface to gray to cancel the subtle activation of banana's memory color. Subsequent empirical studies have also shown the memory color effect on man-made objects (e.g. smurfs, German mailboxes), the effect being especially pronounced for blue and yellow objects. To explain this, researchers have argued that because natural daylight shifts from short wavelengths of light (i.e., bluish hues) towards light of longer wavelengths (i.e., yellowish-orange hues) during the day, the memory colors for blue and yellow objects are recruited by the visual system to a higher degree to compensate for this fluctuation in illumination, thereby providing a stronger memory color effect. == Form identification == Memory color plays a role when detecting an object. In a study where participants were given objects, such as an apple, with two alternate forms for each, a crooked apple and a circular apple, researchers changed the colors of the alternate forms and asked if they could identify them. Most of the participants answered "unsure," suggesting that we use memory color when identifying an object. The research redefined memory color as a phenomenon when "a form's identity affects the phenomenal hue of that form." == Color effect on memorization == Memory color effect can be derived from the human instinct to memorize objects better. Comparing the effect of recognizing gray-scaled images and colored images, results showed that people were able to recall colored images 5% higher compared to gray-scaled images. An important factor was that higher level of contrast between the object and background color influences memory. In a specific study related to this, participants reported that colors were 5% to 10% easier to recognize compared to black and white. == Color constancy and memory color effect == Color constancy is the phenomenon where a surface to appear to be of the same color under a wide rage of illumination. A study tested two hypotheses with regards to color memory; the photoreceptor hypothesis and the surface reflectance hypothesis. The test color was surround either by various color patches forming a complex pattern or a uniform “grey” field at the same chromaticity as that of the illuminant. The test color was presented on a dark background for the control group. It was observed that complex surround results where in line with the surface-reflectance hypothesis and not the photoreceptor hypothesis, showing that the accuracy and precision of color memory are fundamentals to understanding the phenomenon of color constancy. == Significance to the evolution of trichromacy == While objects that possess canonical hues make up a small percentage of the objects which populate humans’ visual experience, the human visual system evolved in an environment populated with objects that possess canonical hues. This suggests that the memory color effect is related to the emergence of trichromacy because it has been argued that trichromacy evolved to optimize the ability to detect ripe fruits—objects that appear in canonical hues. == In perception research == In perception research, the memory color effect is cited as evidence for the opponent color theory, which states that four basic colors can be paired with its opponent color: red—green, blue—yellow. This explains why participants adjust the ripe banana color to a blueish tone to make its memory color yellow as gray. Researchers have also found empirical evidence that suggests memory color is recruited by the visual system to achieve color constancy. For example, participants had a lower percentage of color constancy when looking at a color incongruent scene, such as a purple banana, compared to a color diagnostical scene, a yellow banana. This suggests that color constancy is influenced by the color of objects that we are familiar with, which the memory color effect takes part.
Control-flow integrity
Control-flow integrity (CFI) is a general term for computer security techniques that prevent a wide variety of malware attacks from redirecting the flow of execution (the control flow) of a program. == Background == A computer program commonly changes its control flow to make decisions and use different parts of the code. Such transfers may be direct, in that the target address is written in the code itself, or indirect, in that the target address itself is a variable in memory or a CPU register. In a typical function call, the program performs a direct call, but returns to the caller function using the stack – an indirect backward-edge transfer. When a function pointer is called, such as from a virtual table, we say there is an indirect forward-edge transfer. Attackers seek to inject code into a program to make use of its privileges or to extract data from its memory space. Before executable code was commonly made read-only, an attacker could arbitrarily change the code as it is run, targeting direct transfers or even do with no transfers at all. After W^X became widespread, an attacker wants to instead redirect execution to a separate, unprotected area containing the code to be run, making use of indirect transfers: one could overwrite the virtual table for a forward-edge attack or change the call stack for a backward-edge attack (return-oriented programming). CFI is designed to protect indirect transfers from going to unintended locations. == Techniques == Associated techniques include code-pointer separation (CPS), code-pointer integrity (CPI), stack canaries, shadow stacks (SS), and vtable pointer verification. These protections can be classified into either coarse-grained or fine-grained based on the number of targets restricted. A coarse-grained forward-edge CFI implementation, could, for example, restrict the set of indirect call targets to any function that may be indirectly called in the program, while a fine-grained one would restrict each indirect call site to functions that have the same type as the function to be called. Similarly, for a backward edge scheme protecting returns, a coarse-grained implementation would only allow the procedure to return to a function of the same type (of which there could be many, especially for common prototypes), while a fine-grained one would enforce precise return matching (so it can return only to the function that called it). == Implementations == Related implementations are available in Clang (LLVM front-end),, GNU Compiler Collection, Microsoft's Control Flow Guard and Return Flow Guard, Google's Indirect Function-Call Checks and Reuse Attack Protector (RAP). === LLVM/Clang === The LLVM compiler's C/C++ front-end Clang provides a number of "CFI" schemes that works on the forward edge by checking for errors in virtual tables and type casts. Not all of the schemes are supported on all platforms and most of them, the exception being two "kcfi" schemes intended for low-level kernel software, depends on link-time optimization (LTO) to know what functions are supposed to be called in normal cases. Also provided is a separate "shadow call stack" (SCS) instrumentation pass that defends on the backward edge by checking for call stack modifications, available only for the aarch64 and RISC-V ISAs. And due to use of a shared processor register SCS is only enforceable on certain ABIs or if in other ways it is ensured that any other software using the register set (thread/processor) does not interfere with this use. Google has shipped Android with the Linux kernel compiled by Clang with link-time optimization (LTO) and CFI enabled since 2018. Even though SCS is available for the Linux kernel as an option, and support is also available for Android's system components it is recommended only to enable it for components for which it can be ensured that no third party code is loaded. === GCC === The GNU Compiler Collection implemented a "shadow call stack" compatible with Clang for aarch64 in v12 released in 2022. This feature is primarily intended for building the Linux kernel as support is missing from GCC user space libraries. === Intel Control-flow Enforcement Technology === Intel Control-flow Enforcement Technology (CET) detects compromises to control flow integrity with a shadow stack (SS) and indirect branch tracking (IBT). The kernel must map a region of memory for the shadow stack not writable to user space programs except by special instructions. The shadow stack stores a copy of the return address of each CALL. On a RET, the processor checks if the return address stored in the normal stack and shadow stack are equal. If the addresses are not equal, the processor generates an INT #21 (Control Flow Protection Fault). Indirect branch tracking detects indirect JMP or CALL instructions to unauthorized targets. It is implemented by adding a new internal state machine in the processor. The behavior of indirect JMP and CALL instructions is changed so that they switch the state machine from IDLE to WAIT_FOR_ENDBRANCH. In the WAIT_FOR_ENDBRANCH state, the next instruction to be executed is required to be the new ENDBRANCH instruction (ENDBR32 in 32-bit mode or ENDBR64 in 64-bit mode), which changes the internal state machine from WAIT_FOR_ENDBRANCH back to IDLE. Thus every authorized target of an indirect JMP or CALL must begin with ENDBRANCH. If the processor is in a WAIT_FOR_ENDBRANCH state (meaning, the previous instruction was an indirect JMP or CALL), and the next instruction is not an ENDBRANCH instruction, the processor generates an INT #21 (Control Flow Protection Fault). On processors not supporting CET indirect branch tracking, ENDBRANCH instructions are interpreted as NOPs and have no effect. === Microsoft Control Flow Guard === Control Flow Guard (CFG) was first released for Windows 8.1 Update 3 (KB3000850) in November 2014. Developers can add CFG to their programs by adding the /guard:cf linker flag before program linking in Visual Studio 2015 or newer. As of Windows 10 Creators Update (Windows 10 version 1703), the Windows kernel is compiled with CFG. The Windows kernel uses Hyper-V to prevent malicious kernel code from overwriting the CFG bitmap. CFG operates by creating a per-process bitmap, where a set bit indicates that the address is a valid destination. Before performing each indirect function call, the application checks if the destination address is in the bitmap. If the destination address is not in the bitmap, the program terminates. This makes it more difficult for an attacker to exploit a use-after-free by replacing an object's contents and then using an indirect function call to execute a payload. ==== Implementation details ==== For all protected indirect function calls, the _guard_check_icall function is called, which performs the following steps: Convert the target address to an offset and bit number in the bitmap. The highest 3 bytes are the byte offset in the bitmap The bit offset is a 5-bit value. The first four bits are the 4th through 8th low-order bits of the address. The 5th bit of the bit offset is set to 0 if the destination address is aligned with 0x10 (last four bits are 0), and 1 if it is not. Examine the target's address value in the bitmap If the target address is in the bitmap, return without an error. If the target address is not in the bitmap, terminate the program. ==== Bypass techniques ==== There are several generic techniques for bypassing CFG: Set the destination to code located in a non-CFG module loaded in the same process. Find an indirect call that was not protected by CFG (either CALL or JMP). Use a function call with a different number of arguments than the call is designed for, causing a stack misalignment, and code execution after the function returns (patched in Windows 10). Use a function call with the same number of arguments, but one of pointers passed is treated as an object and writes to a pointer-based offset, allowing overwriting a return address. Overwrite the function call used by the CFG to validate the address (patched in March 2015) Set the CFG bitmap to all 1's, allowing all indirect function calls Use a controlled-write primitive to overwrite an address on the stack (since the stack is not protected by CFG) === Microsoft eXtended Flow Guard === eXtended Flow Guard (XFG) has not been officially released yet, but is available in the Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019. XFG extends CFG by validating function call signatures to ensure that indirect function calls are only to the subset of functions with the same signature. Function call signature validation is implemented by adding instructions to store the target function's hash in register r10 immediately prior to the indirect call and storing the calculated function hash in the memory immediately preceding the target address's code. When the indirect call is made, the XFG validation function compares the value in r10 to the target