Control-flow Enforcement Technology (CET) is a new safety mechanism recently published by Intel in collaboration with Microsoft, with purpose to defend against the prevalent exploit techniques including Return-oriented Programming (ROP) and Call/Jmp-oriented Programming (COP/JOP). The CET is implemented at hardware level and contains two major parts: (1) Shadow stack, which detects and prevents ROP by double checking the integrity of the return address; (2) Indirect branch tracking, which hinders COP/JOP by making sure the target of a indirect branch is legal.
The indirect branch tracking is implemented by adding a new instruction, namely the ENDBRANCH, to mark the legal destinations of indirect branches. If ENDBRANCH is not the target of an indirect branch, CPU generates an exception (#CP fault) indicating unintended or malicious operation. Such mechanism is supposed to largely eliminate the JOP/COP type of attack. However, indirect branch tracking itself does not prevent exploits using gadget with legal entry point, theoretically leaving the possibility for JOP/COP to bypass CET using "legal gadgets" only.
This talk focuses on answering the question - how effective the indirect branch tracking is against JOP/COP? Are there still enough valid gadgets to use for any meaningful JOP/COP type attack?
In summary, this talk will provide the process and results for hunting valid gadgets under CET, using PMU-based tool and Big Data analysis. It presents an in-depth evaluation for the effectiveness of the indirect branch tracking technique, and It is our hope that the results of this study can help to improve the robustness of CET in future.