Enhancing software security by enabling Control-flow Enforcement Technology in GCC

Sep 8, 2017



Recently Intel® has published a specification for a new technology designed in cooperation with Microsoft® which is meant to detect and block malware at the processor level called Control-flow Enforcement Technology (CET). The new technology has been designed specifically to prevent against attempts of using Return-Oriented Programming (ROP) or Call/Jump-Oriented Programming (COP/JOP) in exploits design. Those techniques are used by attackers to tie together fragments of legitimate executable code into malicious sequences to perform new functions. ROP attacks are serious security threats against which current software-based detection and prevention techniques are not especially successful, when it comes to overcoming them. The new CET technology, thanks to its hardware level execution, is intended to fix those security flaws providing better resistance against malwares. CET introduces two new means to protect against ROP/JOP attacks: Shadow Stack and Indirect branch tracking. First one is designed to defend against ROP by introducing additional stack used only for storing the function return addresses. Second is used to secure against COP/JOP. This is achieved by utilizing processor pipeline to detect control flow violations and throwing exception if one is detected. In this talk we will discuss work done across whole GCC compiler architecture to implement this feature, enabling its utilization with new architecture. The changes span across several tools and touch the compiler, its libraries, low-level system libraries and tools, like glibc, binutils and ld. The main part of the talk will be devoted to the compiler support, its high-level design and approaches taken. Additionally we will touch implementation details for propagation of tracking/notracking information as well as specifics of exception handling support, which is tricky part of the implementation given HW shadow stack. Finally we will cover the testing process, which is not evident as no existing HW supports the new technology. The OS level support is out of this talk’s scope.



About GNU

The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Ada, and Go, as well as libraries for these languages (libstdc++,...). GCC was originally written as the compiler for the GNU operating system. The GNU system was developed to be 100% free software, free in the sense that it respects the user's freedom.

Store presentation

Should this presentation be stored for 1000 years?

How do we store presentations

Total of 0 viewers voted for saving the presentation to eternal vault which is 0.0%


Recommended Videos

Presentations on similar topic, category or speaker