control flow enforcement technology (cet) · intel cet details 14 •shadow stack detects...
TRANSCRIPT
![Page 1: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/1.jpg)
Information Security Inc.
Control Flow Enforcement
Technology (CET)
![Page 2: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/2.jpg)
Information Security Confidential - Partner Use Only
Contents
2
• About CET
• Why CET
• Three decades of runtime attacks
• Recent attacks
• Runtime attacks
• Defenses against code reuse
• Control-Flow Integrity (CFI)
• Hardware CFI
• Intel CET details
• Conclusions
• References
![Page 3: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/3.jpg)
Information Security Confidential - Partner Use Only
About CET
3
• Intel anti-ROP technology
• Builds on previous work on Control Flow Integrity (CFI) done by
Microsoft and a paper by IAD proposing hardware-enforced CFI
![Page 4: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/4.jpg)
Information Security Confidential - Partner Use Only
Why CET
4
• Because: One of the latest anti-hacking chip enhancement
• Return-oriented Programming (ROP), and similarly call/jmp-
oriented programming (COP/JOP), have been the prevalent attack
methodology for stealth exploit writers targeting vulnerabilities in
programs.
• Control-flow Enforcement Technology (CET) is here to defend
against ROP/JOP style control-flow subversion attacks.
![Page 5: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/5.jpg)
Information Security Confidential - Partner Use Only
Three decades of runtime attacks
5
![Page 6: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/6.jpg)
Information Security Confidential - Partner Use Only
Recent attacks
6
![Page 7: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/7.jpg)
Information Security Confidential - Partner Use Only
Runtime attacks
7
![Page 8: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/8.jpg)
Information Security Confidential - Partner Use Only
Defenses against code reuse
8
• Code Randomization
• Control-Flow Integrity (CFI)
![Page 9: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/9.jpg)
Information Security Confidential - Partner Use Only
Defenses against code reuse
9
![Page 10: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/10.jpg)
Information Security Confidential - Partner Use Only
Control-Flow Integrity (CFI)
10
• Prevents control-flow hijacking attacks
• CFI restricts indirect branch(jmp, call, ret) source and destination
• Often coupled
• With a shadow stack
• Control flow graph maps
all function calls
![Page 11: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/11.jpg)
Information Security Confidential - Partner Use Only
Control-Flow Integrity (CFI)
11
• A pure software solution CFI has problems and could be exploitedhttp://ieeexplore.ieee.org/document/6956588/
![Page 12: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/12.jpg)
Information Security Confidential - Partner Use Only
Hardware CFI
12
![Page 13: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/13.jpg)
Information Security Confidential - Partner Use Only
Hardware CFI
13
• Method to define the intended control flow (CFG) to HW
• Method to protect dynamic control flows – a protected shadow
stack
• For any call, a copy of the return address is stored into both the
regular stack and the shadow area.
![Page 14: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/14.jpg)
Information Security Confidential - Partner Use Only
Intel CET details
14
• Shadow stack detects return-address manipulation
• Shadow stack protected, cannot be accessed by the attacker
• New register ssp for the shadow stack
• Conventional move instructions cannot used in shadow stack
• New instructions to operate on shadow stack
• New instruction for indirect call/jump targets: branched
• Could be combined with fine-grained compiler-based CFI (LLVM
CFI)
![Page 15: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/15.jpg)
Information Security Confidential - Partner Use Only
Conclusions
15
• This is a natural evolution of exploit mitigation techniques and
really the future of trusted computing.
• CET combined with boot chain trust, application white listing and
existing/new anti-exploitation techniques can assure the
developing trusted systems for which even more classes of threat
can be eliminated.
![Page 16: Control Flow Enforcement Technology (CET) · Intel CET details 14 •Shadow stack detects return-address manipulation •Shadow stack protected, cannot be accessed by the attacker](https://reader033.vdocument.in/reader033/viewer/2022060218/5f06905c7e708231d4189cf7/html5/thumbnails/16.jpg)
Information Security Confidential - Partner Use Only
References
16
• Microsoft CFI https://www.microsoft.com/en-us/research/publication/control-flow-
integrity/?from=http%3A%2F%2Fresearch.microsoft.com%2Fpubs%2F64250%2Fccs05.pdf
• IAD paperhttps://github.com/iadgov/Control-Flow-Integrity
• Intelhttps://software.intel.com/en-us/blogs/2016/06/09/intel-release-new-technology-specifications-protect-rop-attacks