AD3015: EnableIntelCET¶
Summary¶
| Property | Value |
|---|---|
| ID | AD3015 |
| Name | EnableIntelCET |
| Category | Security |
| Severity | Warning |
| Applies to | ELF (Linux/Unix) - x86_64 |
Description¶
This rule checks that x86_64 ELF binaries have Intel Control-flow Enforcement Technology (CET) enabled, specifically Indirect Branch Tracking (IBT). CET is a hardware-based protection against Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) attacks.
Why This Matters¶
Intel CET with Indirect Branch Tracking (IBT) provides hardware-enforced protection against JOP and COP attacks. Unlike software CFI, IBT operates at the CPU level and cannot be bypassed by memory corruption.
The JOP/COP Attack Problem¶
Jump-Oriented Programming (JOP) and Call-Oriented Programming (COP) bypass traditional ROP defenses:
ROP: Uses RET instructions to chain gadgets
- Defeated by Shadow Stack
JOP: Uses indirect JMP to chain gadgets
- Not stopped by Shadow Stack alone
- Needs IBT to prevent
COP: Uses indirect CALL instructions
- Similar to JOP
- Also needs IBT
How IBT Works¶
Without IBT:
jmp rax → Can jump ANYWHERE in code
call rbx → Can call ANYWHERE in code
With IBT:
jmp rax → Target MUST start with ENDBR64
call rbx → Target MUST start with ENDBR64
Otherwise → #CP exception (crash)
ENDBR64 Landing Pads¶
The compiler inserts ENDBR64 at valid indirect branch targets:
Gadget Reduction¶
IBT dramatically reduces available gadgets:
| Code Type | Without IBT | With IBT |
|---|---|---|
| All instructions | ~Millions | Only ENDBR64 locations |
| Available gadgets | Many | Few, known locations |
| Attack complexity | Moderate | Much harder |
CPU Support¶
| Processor | CET Support |
|---|---|
| Intel 11th Gen+ | Full |
| Intel Tiger Lake+ | Full |
| AMD Zen 3+ | Shadow Stack only |
| AMD Zen 4+ | Full CET |
Software Requirements¶
| Component | Minimum Version |
|---|---|
| GCC | 8.0+ |
| Clang | 7.0+ |
| binutils | 2.31+ |
| glibc | 2.28+ |
| Linux kernel | 5.6+ (full support) |
Fallback Behavior¶
CET binaries run on older CPUs without protection:
On CET-enabled CPU:
- IBT active, ENDBR64 enforced
- Full protection
On older CPU:
- ENDBR64 treated as NOP
- No protection, but code still works
- Graceful degradation
- Hardware-enforced security: CET uses CPU features to enforce control-flow integrity
- JOP protection: IBT ensures indirect branches land only on
ENDBR64instructions - Defense in depth: Complements existing protections like ASLR and stack canaries
- Modern standard: Increasingly required by security-focused distributions
Performance Considerations¶
Intel CET/IBT has near-zero runtime overhead due to hardware implementation:
| Metric | Impact |
|---|---|
| Runtime overhead | <1% |
| Code size increase | 1-2% (ENDBR64 instructions) |
| Memory overhead | None |
Why CET is efficient: - ENDBR64 is a single 4-byte instruction (essentially a NOP on the happy path) - Hardware validation happens in parallel with instruction decode - No additional memory accesses or branches
Workload impact:
| Workload | Overhead |
|---|---|
| Compute-bound | <0.5% |
| Call-intensive | <1% |
| Indirect-call heavy | 1-2% |
Combined with Shadow Stack:
Enabling both IBT and Shadow Stack (-fcf-protection=full) adds approximately 1-2% total overhead for comprehensive protection.
How CET/IBT Works¶
When IBT is enabled, the CPU tracks indirect branches (jumps and calls). Each valid landing pad must begin with an ENDBR64 instruction. If an indirect branch lands elsewhere, the CPU raises a fault.
How to Fix¶
Compile with CET enabled¶
# GCC 8+ or Clang 7+
gcc -fcf-protection=full -o myapp myapp.c
# Options:
# -fcf-protection=full - Enable both IBT and Shadow Stack
# -fcf-protection=branch - Enable IBT only
# -fcf-protection=return - Enable Shadow Stack only
Verify the fix¶
Example¶
Fail: Binary does not have CET/IBT enabled
Pass: Binary has CET/IBT enabled
Requirements¶
- Compiler: GCC 8+ or Clang 7+
- CPU: Intel Tiger Lake or later, AMD Zen 3 or later
- Kernel: Linux 5.6+ with CET support enabled
- glibc: 2.33+ for full support
See Also¶
- AD3016: EnableIntelShadowStack - Shadow Stack (SHSTK)
- Intel CET Specification