Intel CET In Action

As part of our continuous update cycles for our Advanced Windows Exploitation (AWE) class, we examine each new security mitigation and ensure we understand how it works and how it can be bypassed.

Some of the research we have performed for our upcoming updates focus on the Control-flow Enforcement Technology (CET) mitigation developed by Intel. One of the reasons we wanted to investigate Intel CET is because it has been labeled as “the end” of ROP and stack based buffer overflow vulnerabilities.

Today, most exploits against both server-side and client-side applications make use of return oriented programming (ROP) as part of the exploitation process.

At the time of this writing, it has been roughly six months since CET’s release. In this blog, we’ll examine how effective CET is at mitigating real-world exploits that make use of ROP or stack based buffer overflow vulnerabilities.

Intel Control-flow Enforcement Technology

Let’s begin by noting some previous research on exactly how CET is implemented in Windows[cet1][cet2]. We’ll take a less academic approach in this blog, exploring where and how CET should intervene to stop exploits.

Although Intel CET was developed as a hardware-assisted mitigation, it must be facilitated in the software. CET has

Read More: