Enhancing software security by enabling Control-flow Enforcement Technology in GCC

by · Sep 8, 2017 · 163 views ·

Recently Intel® has published a specification for a new technology designed in cooperation with Microsoft® which is meant to detect and block malware at the processor level called Control-flow Enforcement Technology (CET). The new technology has been designed specifically to prevent against attempts of using Return-Oriented Programming (ROP) or Call/Jump-Oriented Programming (COP/JOP) in exploits design. Those techniques are used by attackers to tie together fragments of legitimate executable code into malicious sequences to perform new functions. ROP attacks are serious security threats against which current software-based detection and prevention techniques are not especially successful, when it comes to overcoming them. The new CET technology, thanks to its hardware level execution, is intended to fix those security flaws providing better resistance against malwares. CET introduces two new means to protect against ROP/JOP attacks: Shadow Stack and Indirect branch tracking. First one is designed to defend against ROP by introducing additional stack used only for storing the function return addresses. Second is used to secure against COP/JOP. This is achieved by utilizing processor pipeline to detect control flow violations and throwing exception if one is detected. In this talk we will discuss work done across whole GCC compiler architecture to implement this feature, enabling its utilization with new architecture. The changes span across several tools and touch the compiler, its libraries, low-level system libraries and tools, like glibc, binutils and ld. The main part of the talk will be devoted to the compiler support, its high-level design and approaches taken. Additionally we will touch implementation details for propagation of tracking/notracking information as well as specifics of exception handling support, which is tricky part of the implementation given HW shadow stack. Finally we will cover the testing process, which is not evident as no existing HW supports the new technology. The OS level support is out of this talk’s scope.

Watch SlidesLive on mobile devices

© SlidesLive Inc.