Jump Oriented Programming attacks rely on tampering addresses used by indirect call / jmp, e.g. redirect control-flow to non-programmer intended bytes in binary.
A new target independent command line option –fcf-protection=<branch/return/full/none> instruments control flow protection schemes to handle such attacks.
X86 Supports Indirect Branch Tracking (IBT) as part of Control-Flow Enforcement Technology (CET).
IBT instruments ENDBR instructions (when –fcf-protection=branch is asserted) used to specify valid targets of indirect call / jmp.
nocf_check attribute indicates that no control-flow check will be performed on the attributed entity.
It disables -fcf-protection=<> for a specific entity to fine grain the HW control flow protection mechanism.
The flag is target independent and currently appertains to a function or function pointer.
nocf_check attribute has two roles in the context of X86 IBT technology:
Appertains to a function - do not add ENDBR instruction at the beginning of the function.
Appertains to a function pointer - do not track the target function of this pointer by adding nocf_check prefix to the indirect-call instruction.
When the CPU decodes
nocf_check prefix, it will not update IBT state machine, hence, the target addresses of the following indirect jump will not be tracked.
The naming convention and implementation follow GCC.
I will be happy to address any concerns raised by the community regarding the attribute.