-
Welcome
-
Subscribe to
Control-flow Enforcement Technology
This proposal has been rejected.
One Line Summary
Control-flow Enforcement Technology (CET) is a set of processor-based measures that combat prevailing, hard-to-detect exploits in buffer overflow and “instruction gadgets” used by malware.
Abstract
Hackers often look for buffer overflow opportunities in an application and feed it illegal input data to overwrite function return addresses, combining with “gadgets”, manipulate normal program execution path to achieve malicious behavior in a system. These techniques do not need any code injection, cannot be detected by binary signatures, and the resulting activities easily skip detection. CET blocks these exploits with the “shadow stack” that stores a secure copy of every function return address and the “end-branch” opcode that prevents arbitrary decoding of multi-byte instructions. This presentation gives an overview of CET and highlights software implementation for Linux.
Tags
Control-flow Enforcement Technology, CET, Buffer overflow, Control–flow diversion, Shadow stack, Endbranch
Speaker
-
Yu-cheng Yu
Intel CorporationBiography
Yu-cheng Yu is a Linux kernel developer at Intel. He had worked on Intel XSAVES, KGT, HAXM, and Android emulator.