Intel Working To Combine The Best Of CET + CFI Into "FineIBT"

Written by Michael Larabel in Intel on 6 August 2021 at 06:15 AM EDT. 2 Comments
INTEL
Intel security researchers have been working on implementing toolchain-optimized fine-grained Control Flow Integrity (CFI) support on top of Intel's hardware-based Control-flow Enforcement Technology (CET). By leveraging Intel CET, the Control-Flow Integrity overhead is much lower than the otherwise pure software/compiler-based approach. This Linux security improvement is being worked on under the name of FineIBT.

Going back to February was the first security discussions by Intel researchers and engineers about providing fine-grained CFI on top of Intel's CET -- meanwhile the CET patches themselves have been a long time coming for the Linux kernel. CET hardware support debuted with Tiger Lake for helping to fend off possible ROP and COP/JOP style attacks. CFI support for the kernel meanwhile saw initial upstream support in Linux 5.13 when using Clang. CFI adds run-time checks by the compiler for every indirect function to ensure the target is a valid function with a valid static type. Intel's combination of these technologies is referred to as FineIBT and allows for more restrictive policies than what can be provided by CET alone and said to be more effective against control-flow attacks.

While CFI proponents have said using the compiler-based security feature only adds ~1% overhead, Intel researchers sum up Clang CFI as having 5~53% overhead. Intel meanwhile says their FineIBT solution has only 1~7% overhead. Those numbers are based on some custom micro-benchmarks they wrote for comparing these two solutions.

While we haven't heard much about FineIBT since the original proposal in February and their modified LLVM/Clang code hasn't been updated since March, it appears Intel is still pursuing this tech. The Linux Security Summit happening next month now has on its schedule a presentation over it.

So come the end of September we should be hearing about Intel's latest efforts around FineIBT for the Linux kernel and any new developments or plans for getting the support ironed out.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week