Type confusion vulnerabilities offer incredibly powerful primitives to exploit writers. Many traditional types of memory safety issues (bounds violations, temporal safety) can be automatically detected and prevented in some manner, even if it comes at a performance cost (such as using memory tagging or ASAN). Type confusion is different – the issue lies with how a legal (in bounds, still live) allocation is interpreted by the software. While you may be able to detect the side effects of a type confusion (such as an integer being treated as a pointer and crashing), the type confusion itself cannot be deterministically detected.
Building mitigations to generically prevent type confusion is difficult since it typically requires some "identifier" to determine what the type of some object is. Adding identifiers changes object layout which is an unacceptable breaking change in an operating system with a stable API and ABI surface.
This talk introduces a new mitigation called CastGuard which uses a tiny instruction sequence in combination with the virtual function table pointer of an object to deterministically prevent illegal static down-casts in C++ code. CastGuard is currently being deployed to a set of Windows components with more coming in the future.