Intel Posts Control-Flow Enforcement Support For GCC
Last year Intel published a research whitepaper for Control-Flow Enforcement Technology (CET) while they have now posted a set of GCC patches for implementing this safeguard within the GCC compiler.
Control-flow Enforcement Technology is designed to fend off return-oriented programming (ROP) and call-jump-oriented programming (COP/JOP) attacks. This Intel technology fends against these styles of control-flow attacks by introducing a shadow stack to keep track of the expected return addresses and will raise faults if the return addresses don't match what's expected. CET also provides indirect branch tracking to fend against jump/call oriented attacks.
CET is detailed at length in this revised whitepaper now labeled as v2.0 compared to last June's initial v1.0 release of this technology. Current Intel CPUs don't support CET and Intel hasn't been entirely clear when it will be added to their processors, but seeing as they are now adding the support to GCC, it is perhaps only a year or less out (Cannonlake, perhaps?).
The GCC patches adding initial CET support can be found on the mailing list. Executables built for CET are safe to run still on non-CET processors albeit without any protection. Patches are still pending to support CET in the compiler libraries and glibc. The CET option for GCC is currently exposed with -mcet. This work will presumably land in time for next year's GCC 8 release.
Control-flow Enforcement Technology is designed to fend off return-oriented programming (ROP) and call-jump-oriented programming (COP/JOP) attacks. This Intel technology fends against these styles of control-flow attacks by introducing a shadow stack to keep track of the expected return addresses and will raise faults if the return addresses don't match what's expected. CET also provides indirect branch tracking to fend against jump/call oriented attacks.
CET is detailed at length in this revised whitepaper now labeled as v2.0 compared to last June's initial v1.0 release of this technology. Current Intel CPUs don't support CET and Intel hasn't been entirely clear when it will be added to their processors, but seeing as they are now adding the support to GCC, it is perhaps only a year or less out (Cannonlake, perhaps?).
The GCC patches adding initial CET support can be found on the mailing list. Executables built for CET are safe to run still on non-CET processors albeit without any protection. Patches are still pending to support CET in the compiler libraries and glibc. The CET option for GCC is currently exposed with -mcet. This work will presumably land in time for next year's GCC 8 release.
Add A Comment