Debug School

Cover image for Control-flow Enforcement Technology
Suyash Sambhare
Suyash Sambhare

Posted on

Control-flow Enforcement Technology

#devops #cet #security #windows

User-mode Hardware-enforced Stack Protection (HSP) is a security feature in which the CPU verifies function return addresses during runtime via a shadow stack method, if allowed by the hardware. In HSP compatibility mode, only shadow stack violations in modules that are compatible with shadow stacks (CETCOMPAT) are fatal. To be considered CETCOMPAT, a module must be either compiled with CETCOMPAT for binaries or marked with SetProcessDynamicEnforcedControlflowEnforcementTechnologyCompatibleRanges for dynamic code. In HSP stringent mode, any shadow stack violation is deadly.

Function Name

There is a SetProcessDynamicEnforcedControlflowEnforcementTechnologyCompatibleRanges function in processthreadsapi.h
Sets dynamic enforced CETCOMPAT ranges for the specified process.

BOOL SetProcessDynamicEnforcedControlflowEnforcementTechnologyCompatibleRanges(
  HANDLE                                  Process,
  USHORT                                  NumberOfRanges,
  PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE Ranges
);
Enter fullscreen mode Exit fullscreen mode

Parameters

  • Process: A handle to the process. This handle must have the PROCESS_SET_INFORMATION access right.
  • NumberOfRanges: Supplies the number of dynamic enforced CETCOMPAT ranges to set.
  • Ranges: A pointer to an array of dynamic enforced CETCOMPAT ranges.

Return value

If the function fails, the return value is 0. Call GetLastError for more detailed error information. Even if the function fails, it is possible that some of the supplied CETCOMPAT ranges were successfully processed. To ascertain whether or whether the CETCOMPAT range supplied via Ranges was correctly processed, the caller must verify the flags in each individual range.
If the function succeeds, the return value is not zero.

CET

Shadow Stack

A read-only memory area enforced by hardware, the shadow stack aids in documenting the program's intended control flow. Call instructions push the return address on both stacks on available hardware, whereas return instructions compare the values and raise a CPU exception if the return addresss don't match. Only more recent processors will have this feature because of these necessary hardware capabilities. Keep in mind that /CETCOMPAT is used to compile all native 64-bit Windows DLLs.
It is advised to run your application in compatibility mode these days since third-party DLLs can be introduced into your process and then use return address hijacking.

Instruction Pointer Validation

Corrupting the instruction pointer value inside the CONTEXT structure provided into system methods that reroute a thread's execution, like NtContinue and SetThreadContext, is one of the next exploit strategies attackers may employ to take over control flow when shadow stacks are present. Hardware-enforced Stack Protection incorporates an extra mitigation to verify the instruction pointer while handling exceptions in order to offer a thorough control-flow integrity mitigation. This mitigation should also be considered when conducting compatibility testing.

These mitigations will help proactively prohibit an attacker’s ability to hijack your program in the event a vulnerability is discovered. This mitigation is only supported in 64-bit code. There is no support for 32-bit code, WoW64, or in Guest Virtual Machines at the moment. Hardware-enforced Stack Protection is enabled in compatibility mode on the Microsoft Edge browser and a few non-sandboxed processes.

Ref: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessdynamicenforcedcetcompatibleranges

Top comments (0)