RFC: No Control Flow Check Attribute

Hi All,

Jump Oriented Programming attacks rely on tampering addresses used by indirect call / jmp, e.g. redirect control-flow to non-programmer intended bytes in binary.

A new target independent command line option –fcf-protection=<branch/return/full/none> instruments control flow protection schemes to handle such attacks.

X86 Supports Indirect Branch Tracking (IBT) as part of Control-Flow Enforcement Technology (CET).

IBT instruments ENDBR instructions (when –fcf-protection=branch is asserted) used to specify valid targets of indirect call / jmp.

The nocf_check attribute indicates that no control-flow check will be performed on the attributed entity.

It disables -fcf-protection=<> for a specific entity to fine grain the HW control flow protection mechanism.

The flag is target independent and currently appertains to a function or function pointer.

The nocf_check attribute has two roles in the context of X86 IBT technology:

  1. Appertains to a function - do not add ENDBR instruction at the beginning of the function.

  2. Appertains to a function pointer - do not track the target function of this pointer by adding nocf_check prefix to the indirect-call instruction.

When the CPU decodes nocf_check prefix, it will not update IBT state machine, hence, the target addresses of the following indirect jump will not be tracked.

The naming convention and implementation follow GCC.

I will be happy to address any concerns raised by the community regarding the attribute.

Cheers,

Oren