[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intel CET Support?

Paul Wise left as an exercise for the reader:
> On Mon, 2022-09-05 at 22:44 +0200, Felix Potthast wrote:
> > i just stumbled upon the fact that debian doesn't yet make use of the
> > Intel CET security feature, while many other distributions
> > (Ubuntu, Fedora, Suse, Arch Linux) do.
> Allegedly Intel CET provides weak protection, although perhaps it
> improved since the 2016 analysis by grsecurity folks:
> https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks

ehh, CET seems like the kind of "make easy things hard" defense-in-depth
that's the cornerstone of protecting against the highest level
of attackers. ASLR and a dozen other things are in the same
boat; they make attacks more difficult to generalize and make

also, the grsecurity folk in my experience tend to speak very
harshly regarding any other efforts in their space (and they
prefix this article with disclosure that CET can be considered
competing technology). see their comments on other software CFI
implementations [0] and kspp [1]. they explicitly sum up that
"CET is not advancing the state of the art", which indeed it
might not be, but that doesn't mean it's a useless piece of
engineering. it has a value that needs be weighed against its
cost like most technologies.

[0] https://grsecurity.net/rap_faq
[1] https://lwn.net/Articles/698891/

nick black -=- https://www.nick-black.com
to make an apple pie from scratch,
you need first invent a universe.

Attachment: signature.asc
Description: PGP signature

Reply to: