Intel's CET Shadow Stack issue

c++ / delphi package - dll injection and api hooking
iconic
Site Admin
Posts: 994
Joined: Wed Jun 08, 2005 5:08 am

Re: Intel's CET Shadow Stack issue

Post by iconic »

not Indirect Branch Tracking of CET
That's good news as it was my primary worry :D
Indirect branch tracking – free branch protection to defend against Jump/Call Oriented Programming
--Iconic
madshi
Site Admin
Posts: 10365
Joined: Sun Mar 21, 2004 5:25 pm

Re: Intel's CET Shadow Stack issue

Post by madshi »

New build up:

http://madshi.net/madCollectionUpdate.exe

I *think* this should fix CET. But I don't currently have CET capable hardware, so I can't really verify.
jakeads
Posts: 6
Joined: Mon Mar 08, 2021 3:22 am

Re: Intel's CET Shadow Stack issue

Post by jakeads »

Good news, but my subscription has expired.

Would you send test program to verify?

You can make the test program like this.
Create "sc.exe" process and Inject the dll which hooks NtTerminateProcess API.
madshi
Site Admin
Posts: 10365
Joined: Sun Mar 21, 2004 5:25 pm

Re: Intel's CET Shadow Stack issue

Post by madshi »

jakeads
Posts: 6
Joined: Mon Mar 08, 2021 3:22 am

Re: Intel's CET Shadow Stack issue

Post by jakeads »

I have verified this issue has been fixed.

Thanks.
iconic
Site Admin
Posts: 994
Joined: Wed Jun 08, 2005 5:08 am

Re: Intel's CET Shadow Stack issue

Post by iconic »

Thanks Jakeads,

And also thanks for pointing out that Windows only cares about RET with Intel’s CET, it’s a relief. If Windows adopted the full IBT enforcement at the hardware level both jumps and calls would also be under scrutiny. Luckily, MS likely realized that their own hotpatching/detours/DLL Shims would also refuse to function.

—Iconic
Bevan Collins
Posts: 33
Joined: Fri Jul 07, 2006 2:50 am

Re: Intel's CET Shadow Stack issue

Post by Bevan Collins »

Hi

what is the schedule for including the fix for this issue in a release?

Thanks
madshi
Site Admin
Posts: 10365
Joined: Sun Mar 21, 2004 5:25 pm

Re: Intel's CET Shadow Stack issue

Post by madshi »

The "hotfix" build seems to be stable. A big security company has tested it for their internal use and found no issues (so far), so I think the hotfix is probably good to go for release builds. I do plan to release an "official" new build soon(ish), but it's likely to be identical to the current hotfix, with just the documentation/version information updated. I don't really have a schedule/ETA for an official build atm, because I'm busy with another urgent project.

***Small Edit*** Die = "The" in German :D --Iconic
Post Reply