Paul Wise left as an exercise for the reader: > On Mon, 2022-09-05 at 22:44 +0200, Felix Potthast wrote: > > > i just stumbled upon the fact that debian doesn't yet make use of the > > Intel CET security feature, while many other distributions > > (Ubuntu, Fedora, Suse, Arch Linux) do. > > Allegedly Intel CET provides weak protection, although perhaps it > improved since the 2016 analysis by grsecurity folks: > https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks ehh, CET seems like the kind of "make easy things hard" defense-in-depth that's the cornerstone of protecting against the highest level of attackers. ASLR and a dozen other things are in the same boat; they make attacks more difficult to generalize and make reliable. also, the grsecurity folk in my experience tend to speak very harshly regarding any other efforts in their space (and they prefix this article with disclosure that CET can be considered competing technology). see their comments on other software CFI implementations  and kspp . they explicitly sum up that "CET is not advancing the state of the art", which indeed it might not be, but that doesn't mean it's a useless piece of engineering. it has a value that needs be weighed against its cost like most technologies.  https://grsecurity.net/rap_faq  https://lwn.net/Articles/698891/ -- nick black -=- https://www.nick-black.com to make an apple pie from scratch, you need first invent a universe.
Description: PGP signature