Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity

Intel has developed Control-flow Enforcement Technology (CET) [27] that provides CPU instruction set architecture (ISA) capabilities to defend against Return-oriented Programming (ROP) and call/jmp-oriented programming (COP/JOP) style control-flow subversion attacks. This attack methodology uses code sequences in authorized modules with at least one instruction in the sequence being a control transfer instruction that depends on attacker-controlled data either in the return stack or in a register/memory for the target address. Attackers stitch these sequences together by diverting the control flow instruction (e.g. RET, CALL, JMP) from its original target address to a new target (via modification in the data stack or in the register or memory used by these instructions). This paper describes CET security objectives, threat model and various architectural design choices to ensure that the design meets the security objectives. We conclude the paper with performance data and related work in this domain.