Security Experts:

Connect with us

Hi, what are you looking for?



Intel Tackles ROP Attacks With New Technology

Intel has revealed Control-flow Enforcement Technology (CET), a new safety mechanism to hinder Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks.

Intel has revealed Control-flow Enforcement Technology (CET), a new safety mechanism to hinder Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks.

The new technology was built in collaboration with Microsoft and defines a second stack (shadow stack) that is exclusively used for control transfer operations, complementing the traditional stack that is normally used for control transfer and data. This second stack is protected by the CPU’s memory management unit, resides in system RAM, and contains return addresses only.

With the new technology enabled, the return address is pushed into the shadow stack in addition to the normal stack and there are no changes to traditional stack operation, Baiju Patel, director of the platform security architecture and strategy team in Intel’s Software and Services group (SSG), says. However, the return instruction pops return address from both stacks, and transfers control only if they match.

According to Patel, there are some restrictions to write operations to shadow stack, which were implemented by changes to page tables, to make it more difficult for attackers to modify return address on both copies of stack. The shadow stack usage is limited to call and return operations and the page table protections are meant to ensure integrity of shadow stack by preventing malicious switching and/or overflow and underflow.

Patel also notes that CET has been designed with focus on minimizing performance impact and that the CET specification (PDF) was created for both x86 and x64 architectures. The goal was to ensure that the new prevention technique requires minimal to no changes in well-implemented software, that it is applicable to both applications and operating systems, that it works on legacy platforms, and that it is intended to address all known ROP/JOP attacks.

Additionally, Patel explains that a new instruction was added to ISA, namely the ENDBRANCH instruction, which would mark legal target for an indirect branch or jump. “Thus if ENDBRANCH is not target of indirect branch or jump, the CPU generates an exception indicating unintended or malicious operation. This specific instruction has been implemented as NOP on current Intel processors for backwards compatibility (similar to several MPX instructions) and pre-enabling of software,” he notes.

Because attackers use existing code running from executable memory in an attempt to change program behavior, ROP or JOP attacks are hard to detect or prevent, and the numerous software-based detection and prevention techniques that have been deployed with limited success are proof of that. CET, however, attempts to prevent these attacks at the CPU level, which should ensure a higher rate of success.

For the time being, however, the CET specification is only in preview, but should receive finishing touches after Intel and Microsoft get feedback on it.

Related: Researchers Reveal Return-Oriented Programming Tactics for Breaking Security Defenses

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet