Control-flow Enforcement Technology(CET) is a security feature in Intel Processors. The 11th generation and later Intel CPUs will support the CET feature.
CET is the best method to prevent ROP/JOP attack from the root cause (instruction level) from compatibility and performance perspective.
CET contains 2 parts of functions: shadow stack(SHSTK) and indirect branch tracking(IBT).
- Shadow Stack – return address protection to defend against Return Oriented Programming(ROP),
- Indirect Branch Tracking – free branch protection to defend against Jump/Call Oriented Programming(JOP).
Only userspace SHSTK cases will be provided in current stage.
Userspace IBT cases will be provided in the future.
make ./quick_test This tool will test the shadow stack violation in shstk enabled(in ELF) binary: enabled binary or process with below check points:
- Do the SHSTK violation, and receive the expected signal
- Do the SHSTK violation triggered by signal, and should receive expected sinal It can quickly verify that SHSTK is working in the test environment
./test_shadow_stack This tool test the shadow stack violation, enabling/disabling by syscall way in non-shstk(in ELF) binary. Test SHSTK violation by arch_prctl syscall way in non-SHSTK binary with below points:
- Enable shadow stack by ARCH_CET_ENABLE syscall
- Disable shadow stack by ARCH_CET_DISABLE syscall
- Enable SHSTK writeable by ARCH_SHSTK_WRSS syscall
- Allocate the shstk buffer by map_shadow_stack syscall
- Do the SHSTK violation by wrss the wrong shstk value, and recevie the expected signal SIGSEGV
- Disable the SHSTK after the test, and there is no exception as expected
./shstk_huge_page This tool will test the huge page of shstk buffer allocation and usage: assigned 4M buffer for shadow stack, and do the loop calls to fill the shstk buf without issue:
- Assigned the 4M shadow stack buf without issue
- Made test process to use the 4M shadow stack by call/ret without issue
- Test loop ping-pong call to fill the shstk buffer without issue
- After all above loop calls finished, check the rbp + 8 bytes value should same as SHSTK value
./shstk_alloc This tool's purpose is testing SHSTK related instructions:
- Test shstk buffer allocation for one new shstk buffer
- Test rstorssp, saveprevssp, rdsspq to load new shstk buffer
- Test rstorssp, saveprevssp to restore the previous shstk buffer
./wrss This tool will test wrss into shadow stack by wrss(q for 64bit) instruction in SHSTK enabled binary:
- Enable writable shadow stack via system call "ARCH_CET_ENABLE and ARCH_SHSTK_WRSS"
- Write one incorrect value into shadow stack
- The expected SISEGV should be received after ret instruction
All test results should show pass, no fail.