Dies ist eine alte Version des Dokuments!
Control-flow Integrity (CFI) attempts to validate the control-flow of a process. This is achieved by analyzing the application and building up a Control-flow Graph (CFG) representing the intended program behavior1)2).
One important addition of CFI is the so-called „shadow stack“. Next to the existing stack of an application, another one is introduced for verification purposes. Return addresses are added to both stacks upon function calls. When executing a return instruction, the top elements of both stacks is compared. In case they are equal, execution continues. But if they differ, a manipulation of the control-flow is detected.
Major compilers such as GCC and LLVM support CFI. Naturally, applications need to be recompiled if CFI is added later on. Also note that the performance impact of a purely software-based solution should not be neglected3).
Control-flow Enforcement Technology (CET)4) is a hardware-supported implementation of CFI suggested by Intel.
With CET, a shadow stack tracks function calls. Upon a call
instruction, the return address is also pushed to the shadow stack. When returning from the function call, the return addresses are popped from both stacks and compared. In case of different values, an exception is raised. Additionally, targets of jmp
and indirect call
instructions are marked. An error occurs if these instructions are executed for a target that is not marked.
As of January 2018 the CET specification is only available as a preview and there are no processors supporting it on a hardware level. CET support is added to version 8 of GCC5).
← Back to NX bit | Overview | Continue with static code analysis → |