Intel Working To Combine The Best Of CET + CFI Into "FineIBT"

Written by Michael Larabel in Intel on 6 August 2021 at 06:15 AM EDT. 2 Comments
INTEL
Intel security researchers have been working on implementing toolchain-optimized fine-grained Control Flow Integrity (CFI) support on top of Intel's hardware-based Control-flow Enforcement Technology (CET). By leveraging Intel CET, the Control-Flow Integrity overhead is much lower than the otherwise pure software/compiler-based approach. This Linux security improvement is being worked on under the name of FineIBT.

Going back to February was the first security discussions by Intel researchers and engineers about providing fine-grained CFI on top of Intel's CET -- meanwhile the CET patches themselves have been a long time coming for the Linux kernel. CET hardware support debuted with Tiger Lake for helping to fend off possible ROP and COP/JOP style attacks. CFI support for the kernel meanwhile saw initial upstream support in Linux 5.13 when using Clang. CFI adds run-time checks by the compiler for every indirect function to ensure the target is a valid function with a valid static type. Intel's combination of these technologies is referred to as FineIBT and allows for more restrictive policies than what can be provided by CET alone and said to be more effective against control-flow attacks.

While CFI proponents have said using the compiler-based security feature only adds ~1% overhead, Intel researchers sum up Clang CFI as having 5~53% overhead. Intel meanwhile says their FineIBT solution has only 1~7% overhead. Those numbers are based on some custom micro-benchmarks they wrote for comparing these two solutions.

While we haven't heard much about FineIBT since the original proposal in February and their modified LLVM/Clang code hasn't been updated since March, it appears Intel is still pursuing this tech. The Linux Security Summit happening next month now has on its schedule a presentation over it.

So come the end of September we should be hearing about Intel's latest efforts around FineIBT for the Linux kernel and any new developments or plans for getting the support ironed out.
2 Comments
Related News
New Intel P-State Linux Driver Patches To Better Handle Hybrid Core CPUs
Intel Talks Up Their Latest Compiler Toolchain Enhancements For AVX10.1, AMX & More
Rework For Intel CPU Model Handling To Land With Linux 6.10
Linux 6.10 Adding Intel Low-Latency Hint To Aggressively Boost GT Frequency For GPU Compute
Intel Releases OpenVINO 2024.1 With More Gen AI & LLM Features
Intel ANV Vulkan Driver Enables VK_KHR_shader_float_controls2
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
systemd Rolling Out "run0" As sudo Alternative
Linux Mint Looks To Fork More GNOME Software, Make XApp More Independent
Microsoft Updates Cascadia Code: Its Open-Source Font For Developers
Rust-Written Redox OS Gets USB Keyboards & Mice Working
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
AMD Enabling "Fast CPPC" For Even Greater Linux Performance & Power Efficiency On Some CPUs
Proton 9.0 RC2 Makes More Windows Games Playable On Linux, Other Fixes
Punting GPU Drivers From The Initramfs Due To Ever Increasing Firmware Bloat