Control-flow Enforcement Technology

This proposal has been rejected.


One Line Summary

Control-flow Enforcement Technology (CET) is a set of processor-based measures that combat prevailing, hard-to-detect exploits in buffer overflow and “instruction gadgets” used by malware.


Hackers often look for buffer overflow opportunities in an application and feed it illegal input data to overwrite function return addresses, combining with “gadgets”, manipulate normal program execution path to achieve malicious behavior in a system. These techniques do not need any code injection, cannot be detected by binary signatures, and the resulting activities easily skip detection. CET blocks these exploits with the “shadow stack” that stores a secure copy of every function return address and the “end-branch” opcode that prevents arbitrary decoding of multi-byte instructions. This presentation gives an overview of CET and highlights software implementation for Linux.


Control-flow Enforcement Technology, CET, Buffer overflow, Control–flow diversion, Shadow stack, Endbranch


  • Yu-cheng Yu

    Intel Corporation


    Yu-cheng Yu is a Linux kernel developer at Intel. He had worked on Intel XSAVES, KGT, HAXM, and Android emulator.