Intel has revealed Control-flow Enforcement Technology (CET), a new safety mechanism to hinder Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks.
The new technology was built in collaboration with Microsoft and defines a second stack (shadow stack) that is exclusively used for control transfer operations, complementing the traditional stack that is normally used for control transfer and data. This second stack is protected by the CPU’s memory management unit, resides in system RAM, and contains return addresses only.
With the new technology enabled, the return address is pushed into the shadow stack in addition to the normal stack and there are no changes to traditional stack operation, Baiju Patel, director of the platform security architecture and strategy team in Intel’s Software and Services group (SSG), says. However, the return instruction pops return address from both stacks, and transfers control only if they match.
According to Patel, there are some restrictions to write operations to shadow stack, which were implemented by changes to page tables, to make it more difficult for attackers to modify return address on both copies of stack. The shadow stack usage is limited to call and return operations and the page table protections are meant to ensure integrity of shadow stack by preventing malicious switching and/or overflow and underflow.
Patel also notes that CET has been designed with focus on minimizing performance impact and that the CET specification (PDF) was created for both x86 and x64 architectures. The goal was to ensure that the new prevention technique requires minimal to no changes in well-implemented software, that it is applicable to both applications and operating systems, that it works on legacy platforms, and that it is intended to address all known ROP/JOP attacks.
Additionally, Patel explains that a new instruction was added to ISA, namely the ENDBRANCH instruction, which would mark legal target for an indirect branch or jump. “Thus if ENDBRANCH is not target of indirect branch or jump, the CPU generates an exception indicating unintended or malicious operation. This specific instruction has been implemented as NOP on current Intel processors for backwards compatibility (similar to several MPX instructions) and pre-enabling of software,” he notes.
Because attackers use existing code running from executable memory in an attempt to change program behavior, ROP or JOP attacks are hard to detect or prevent, and the numerous software-based detection and prevention techniques that have been deployed with limited success are proof of that. CET, however, attempts to prevent these attacks at the CPU level, which should ensure a higher rate of success.
For the time being, however, the CET specification is only in preview, but should receive finishing touches after Intel and Microsoft get feedback on it.
Related: Researchers Reveal Return-Oriented Programming Tactics for Breaking Security Defenses