FineIBT Updated For Linux As Alternative Control Flow Integrity (CFI) Approach
Back in August 2021 saw initial patches by Intel for "FineIBT" for the Linux kernel as aiming to combine the best of their Control-flow Enforcement Technology (CET) and Control Flow Integrity for upping the kernel security protections in an efficient manner.
In the past year the FineIBT patches have been updated and this week Intel engineer Peter Zijlstra sent out the latest FineIBT patches for Linux. His latest summary of this FineIBT control flow integrity work for Linux comes down to:
This code builds off the latest Call Depth Tracking work on the way to mainline Linux (likely 6.2). See this patch series for the latest discussion around FineIBT -- including some discussion over additional security implications to consider. We'll see where this FineIBT work leads and if/when it manages to get picked up by the mainline kernel.
In the past year the FineIBT patches have been updated and this week Intel engineer Peter Zijlstra sent out the latest FineIBT patches for Linux. His latest summary of this FineIBT control flow integrity work for Linux comes down to:
Implement an alternative CFI scheme that merges both the fine-grained nature of kCFI but also takes full advantage of the coarse grained hardware CFI as provided by IBT.
To contrast:
kCFI is a pure software CFI scheme and relies on being able to read text -- specifically the instruction *before* the target symbol, and does the hash validation *before* doing the call (otherwise control flow is compromised already).
FineIBT is a software and hardware hybrid scheme; by ensuring every branch target starts with a hash validation it is possible to place the hash validation after the branch. This has several advantages:
o the (hash) load is avoided; no memop; no RX requirement.
o IBT WAIT-FOR-ENDBR state is a speculation stop; by placing the hash validation in the immediate instruction after the branch target there is a minimal speculation window and the whole is a viable defence against SpectreBHB.
Obviously this patch relies on kCFI (upstream), but additionally it also relies on the padding from the call-depth-tracking patches (tip/x86/core). It uses this padding to place the hash-validation while the call-sites are re-written to modify the indirect target to be 16 bytes in front of the original target, thus hitting this new preamble.
Notably, there is no hardware that needs call-depth-tracking (Skylake) and supports IBT (Tigerlake and onwards).
This code builds off the latest Call Depth Tracking work on the way to mainline Linux (likely 6.2). See this patch series for the latest discussion around FineIBT -- including some discussion over additional security implications to consider. We'll see where this FineIBT work leads and if/when it manages to get picked up by the mainline kernel.
1 Comment