1. 4

  2. 1

    There’s this quick overview and explanation for people less familiar about ROP: http://www.theregister.co.uk/2016/06/10/intel_control_flow_enforcement/ . I think this is a nice step forward for exploit mitigation at hardware level and hopefully similar effort will be seen from other CPU vendors.

    1. 1

      Does this prevent more than SafeStack? SafeStack is very low overhead (<0.1%) and prevents overwriting return addresses.

      1. 1

        It might be a bit safer than SafeStack. The Shadow Stack have special mapping flag ensuring it cannot be written with regular instruction such MOV, although when you have write-anywhere primitives there might be alternative way to ROP to gain code execution. It is limited to return address and is hardware dependant. The Indirect branch tracking has no alternative that I know of.