What is Control-Flow Enforcement Technology (CET) ?

Above is the original PDF of Intel’s Control-Flow Enforcement technology the main focus of this technology is to prevent ROP, JOP and COP attackers that alternate the flow of execution in the stack, allowing the redirection of control flow towards a memory location that is controlled by the attacker.

The Technology possesses the implementation of two new methods ( hardware implemented ) :

1. Shadow Stack
2. Indirect Branch Tracking ( IBT )

This is not a Technical article but rather an overview of the technology, for a quick and fast grasping of the CET consept and strategies present within.

If you want to get into details and learn the technical aspect of CET kindly refer to this artical proviced by Intel : Technical Look at CET

CET : As Described By The Linux Kernel

Control-flow Enforcement Technology (CET) covers several related x86 processor features that protect against control-flow hijacking attacks. CET can protect both applications and the kernel. CET introduces shadow stack and indirect branch tracking (IBT).

Not all CPUs have both Shadow Stack and Indirect Branch Tracking. Today in the 64-bit kernel, only userspace shadow stack and kernel IBT are supported.

Shadow Stack

A shadow stack is a secondary stack allocated from memory that cannot be directly modified by applications. When executing a CALL instruction, the processor pushes the return address to both the normal stack and the shadow stack. Upon function return, the processor pops the shadow stack copy and compares it to the normal stack copy. If the two differ, the processor raises a control-protection fault.

Learn more: What is a Shadow Stack ?

Indirect Branch Tracking ( IBT )

Indirect Branch Tracking (IBT) is a security feature in modern processors, like those from Intel, designed to prevent certain types of cyber attacks that try to hijack the flow of a program. Think of it as a security guard that ensures the program’s instructions are followed correctly.

How It Works:

1. Indirect Branches: These are instructions in a program that tells the computer to jump to a different part of the code. They can be tricky because the exact destination isn’t always known until the program is running.
2. Tracking: IBT keeps an eye on these jumps. It uses special markers (called ENDBR opcodes) placed by the compiler at valid jump destinations.
3. Verification: When the program tries to jump to a new location, IBT checks if the destination has the correct marker. If it doesn’t, the jump is blocked, preventing potential attacks.

Example:

Imagine you’re following a treasure map with specific instructions. Each step on the map has a unique marker. If you try to jump to a step without the correct marker, you know something’s wrong, and you stop to avoid a trap.

In the same way, IBT ensures that the program only jumps to safe, marked locations, blocking any unauthorized jumps that could lead to malicious code execution.