avatar

目录
Intel Control-flow Enforcement Technology Specification

1 Introduction

Return-oriented Programming (ROP), and similarly call/jmp-oriented programming (COP/JOP), have been the prevalent attack methodology for stealth exploit writers targeting vulnerabilities in programs. These attack methodology have the common elements:

返回导向编程(ROP)和与之类似的调用/跳转导向编程(COP / JOP),目前已经成为针对程序中隐藏漏洞的普遍攻击方式。这些攻击方式具有以下共同的要素:

  • A code module with execution privilege and contain small snippets of code sequence with the characteristic: at least one instruction in the sequence being a control transfer instruction that depends on data either in the return stack or in a register for the target address,

    由代码序列中一段段的小代码片段组成的具有可执行权限的代码模块。其中小代码片段具有如下特征:代码序列中至少一条指令是控制流转移指令,该指令通过栈中返回地址或目标地址寄存器中的数据完成控制流的转移

  • Diverting the control flow instruction (e.g., RET, CALL, JMP) from its original target address to a new target (via modification in the data stack or in the register).

    将控制流指令(如RET、CALL、JMP)的目标地址从原始地址改为新的地址。(通过篡改栈中数据或寄存器完成)

Control-flow Enforcement Technology (CET) provides the following capabilities to defend against ROP/JOP style control-flow subversion attacks:

控制流强制技术(CET、我也不知道怎么翻译(╯#-_-)╯~~)提供了以下功能来防御ROP / JOP样式的控制流劫持攻击:

  • Shadow Stack – return address protection to defend against Return Oriented Programming,

    影子栈——通过保护返回地址来防御返回导向编程

  • Indirect branch tracking – free branch protection to defend against Jump/Call Oriented Programming.

    间接分支跳转跟踪——通过保护自由的分支跳转来防御调用/跳转导向编程

The rest of this document is organized as follows:

本文档的其余部分结构如下:

After an overview of Shadow Stack and Indirect Branch Tracking in the rest of this section. Sections 2 and 3 describe the programming environment of Shadow Stack and Indirect Branch Tracking. Sections 4 and 5 describe changes to traditional control flow instructions and task switching behaviors when these new capabilities are enabled. Both Shadow Stack and Indirect Branch Tracking introduce new instruction set extensions, and are described in Sections 6 and 7.

在本节的其余部分概述了影子栈和间接分支跳转跟踪之后,第2和第3节将介绍影子栈和间接分支跳转跟踪的编程环境。第4和第5节描述了启用这些新功能后,对传统控制流指令和任务切换行为的更改。影子栈和间接分支跳转跟踪都引入了新的扩展指令集,这些将在第6和第7节中进行介绍。

Control-flow Enforcement Technology introduces a new exception class (#CP) with interrupt vector 21. Section 8 covers enumeration, configuration and new exception class. Sections 9 through 17 cover interactions between CET and other IA system enhancement technology, including paging, VMX, SMX, SGX.

控制流强制技术引入了新的异常类(#CP),其中断向量号为21。第8节介绍了枚举、配置和新异常类。第9至17节介绍了CET与其他IA系统增强技术(包括paging、VMX、SMX和SGX)之间的交互

NOTE
In sections 4 and 5, text in this color is used to illustrate the extensions to the control transfer instructions and flows for CET.

在第4和第5节中,该颜色的文本用于说明对CET的控制转移指令和流程的扩展

文章作者: TaQini
文章链接: http://taqini.space/2020/04/30/cet-docs/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 TaQini
打赏
  • Wechat
    Wechat
  • Alipay
    Alipay

评论