Control Flow Enforcement Technology (CET) provides HW capabilities to defend against Return Oriented Programming (ROP) attack and similarly Call/Jmp Oriented Programming (COP/JOP) attack.
Control flow subversion attacks are handled using two CET’s mechanisms:
- Shadow Stack (SHSTK) – return address protection to defend against ROP.
- Indirect Branch Tracking (IBT) – free branch protection to defend against JOP/COP.
Shadow stack solution introduces a new stack for return addresses only. The HW has a Shadow Stack Pointer (SSP) that points to the next return address. If we return to a different address, an exception is triggered.
The shadow stack is managed using a series of intrinsics that are introduced in this patch as well as the new register (SSP). The intrinsics are mapped to new instruction set that implements CET mechanism.
The patch also includes initial infrastructure support for IBT.
For more information, please see the following: