Hello,

i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

The idea is to insert endbr instructions,
(which are just NOPs on older CPUs) at the beginning
of functions to identify valid call targets to mitigate
ROP attacks.

You can do a quick test with

objdump -d /usr/bin/mv | grep endbr | wc -l

which outputs a nonzero number if the feature is used.

See for example this Phoronix article: https://www.phoronix.com/news/Intel-CET-IBT-For-Linux-5.18

What is the reason debian doesn't use this?
It seems like a sensible thing to do for me, but
maybe you had a discussion about it and came to another conclusion?

Or was this just overlooked?

Looking forward to your answers.

Regards,
Felix Potthast

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-09-05 22:44:52 +0200 (+0200), Felix Potthast wrote:

i just stumbled upon the fact that debian doesn't yet make use of
the Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

[...]

Forgive me if this is a dumb question, but were you running on a
Linux 5.18 kernel when you tested this? The default kernel on the
current Debian release is too old to support it, but there is a 5.18
kernel in the bullseye-backports suite. This is from my workstation
running a relatively up to date Debian unstable booted on a 5.18.x
kernel, as you can see:

fungi@dhole:~$ uname -v
#1 SMP PREEMPT_DYNAMIC Debian 5.18.14-1 (2022-07-23)
fungi@dhole:~$ objdump -d /bin/mv | grep endbr | wc -l
2
fungi@dhole:~$ objdump -d /bin/mv | grep endbr
4230: f3 0f 1e fa endbr64
4270: f3 0f 1e fa endbr64

--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmMWZsFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCk+ug//TBm5e9iwFLu0lTLhvtNtkkAtLBe+jva8d/of5HBMcRGzIT3/8UVKjOfy fDyB61S5TrRDFPKg/kwdMDZwU6sd5R5euIP3ufa1RXl1XwnsXTLxX0MyWsjpg2Om 8GfX4TJ4Tk1uwf27BxwSs9yp7cBrkwtnYuKqWwrHUtWpu59sLVyEdwyVVCDp2/EU LH5ihtkGwU9OITNDW+4gSbyZBgajWsiSL3uP/8r84nwFvXvuBbYVyKIi585GJlOR CpxP3kF4aGa4dlohjpvYPKgt2HApMLRNOC7l5rMmtkOmGxFa8oZRow3+aqYEVFxQ Cr0nXg85J1p4cYx/ATuF3KWO7CeARQn58+XMhkEaZg5Jh97Kltve122X1sfVHEYS f/T+tehvkgK6aJqX2Mvv0k2F+DCQDP/MjJCFYjM9tqThfq0GXBBWeTEs0ceOLMlD 9tUr/CbTzyUshv6kRWy8WCit4WrwE/Y4MG0eiB89A5wgvxpChpKVvAzYtaaLTQ10 pJjKEmHpfH1SarwUgIkPg64RQZEgLH1Y8n1RkI8XGnTWzs+4IoszUc2FNABegS7x hjJDLj8sMSEtD6FKCU3DmRvjytrVcGS/USRYvpIt6jwinHWMY894K4KAtyu7zEIx wD7ikwxdvFlEojqNHllFbWWbn0DK+Sa2wJP03sT7gZLhXsWWivU=
=MGQT
-----END PGP SIGNATURE-----

--- SoupGate-Win32

On Mon, Sep 05, 2022 at 10:44:52PM +0200, Felix Potthast wrote:

i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

The idea is to insert endbr instructions,
(which are just NOPs on older CPUs) at the beginning
of functions to identify valid call targets to mitigate
ROP attacks.

You can do a quick test with

objdump -d /usr/bin/mv | grep endbr | wc -l

which outputs a nonzero number if the feature is used.

It's indeed nonzero on my testing and sid machines, with coreutils 8.32-4.1.
In which version is it zero?

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmMXGJ0tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh IbsQAIkge+Txjl34LxRTalrNHOBLI1RjngOEYjqALwPpTY8N2Ssa15YQPwSkP379 np6qtYoO2aa9Uekg4uMNo/ZbHsf19QX/S2bV2TCK+z3j0cSr6c8x1QJCOtThw2Da FWnBlDxcztGDWdetb6QI5yjIA848vwKQiu7RWBpDgu9NDkRJWpff0E6ux6qgeNMu snxPGOdU/mpkWRLD3rN6lzhMzl1Oay7m10fQH5isagkvjA6HizGX4SSfVAPUq1yC fbJo21nZxMjfpS+5Puf+vePm82wzqQdL+NyeQgPsrDwg//sUNj+kxRb3dngsc5gI 3AJZO7W7t2rwjd/stBFtvACZ09G3acdZLoVLc8ZwAZY01+N7x88Jm6IdTNbrZ64n UNfPmtgWmJM0zX5H6Lrrh2daNLsMHa+ZTdM7fu6E9JVVyS7jI4GIY8OnqVLxt0nq 0O/YxHTBzLxjyWDK1YsHSk6A2WYReZj11Z2F5u8r2UkZnxvReGhEYlAUs+tamFTo oSXXUPjw7a5uIeVs4TXUIcnY2/exwb1idrBLTdCx6BU0iLrqxw3RXSbY43GAinbz SLG4CYkIZrvCLAtz4S7SLenDdbZvQFMSNMNe/+rU63hrdY7cbt59Gun18XQLXP5Z eUkLWw6T/GXQvvexiM3dmstgDge+pCMMpZLvGgvubwQpre4k
=zC46
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ok, it turns out the quick test i spontaneously came up with is flawed,
sorry about that.

However, if you look at the disassembly, you can see that the
endbr instruction is not at the beginning of a function,
but rather directly after a nop instruction, so it seems to
me this is just used as another nop variant for alignment purposes.

Another file one can test that actually gives zero is

/lib64/ld-linux-x86-64.so.2

so the right command to test is

objdump -d /lib64/ld-linux-x86-64.so.2 | grep endbr | wc -l

On Mon, 2022-09-05 at 21:14 +0000, Jeremy Stanley wrote:

On 2022-09-05 22:44:52 +0200 (+0200), Felix Potthast wrote:

i just stumbled upon the fact that debian doesn't yet make use of
the Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

[...]

Forgive me if this is a dumb question, but were you running on a
Linux 5.18 kernel when you tested this? The default kernel on the
current Debian release is too old to support it, but there is a 5.18
kernel in the bullseye-backports suite. This is from my workstation
running a relatively up to date Debian unstable booted on a 5.18.x
kernel, as you can see:

  fungi@dhole:~$ uname -v
  #1 SMP PREEMPT_DYNAMIC Debian 5.18.14-1 (2022-07-23)
  fungi@dhole:~$ objdump -d /bin/mv | grep endbr | wc -l
  2
  fungi@dhole:~$ objdump -d /bin/mv | grep endbr
      4230:       f3 0f 1e fa             endbr64       4270:       f3 0f 1e fa             endbr64

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Le 05/09/2022 à 22:44, Felix Potthast a écrit :

objdump -d /usr/bin/mv | grep endbr | wc -l

I got 2 on my current Bookworm/testing with 5.18.0-4-amd64

<html style="scroll-behavior: auto !important;">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style></style>
</head>
<body style="scroll-behavior: auto !important;">
<div class="moz-cite-prefix">Le 05/09/2022 à 22:44, Felix Potthast a
écrit :<br>
</div>
<blockquote type="cite" cite="mid:6b0a21364a8bd1ae1311836bb5ff5863f2982482.camel@student.uni-siegen.de">
<pre class="moz-quote-pre" wrap="">objdump -d /usr/bin/mv | grep endbr | wc -l</pre>
</blockquote>
<p>I got 2 on my current Bookworm/testing with 5.18.0-4-amd64<br>
</p>
<div id="grammalecte_menu_main_button_shadow_host" style="width:
0px; height: 0px;"></div>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2022-09-05 at 22:44 +0200, Felix Potthast wrote:

i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

Allegedly Intel CET provides weak protection, although perhaps it
improved since the 2016 analysis by grsecurity folks:

https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks

--
bye,
pabs

https://wiki.debian.org/PaulWise

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmMX2r8ACgkQMRa6Xp/6 aaMzKhAAg0JVx33wjKDhXBckP4akGi0PpWIUSah8Z93rSw/N80xuXJsj396nFlQ7 gDZ087rZ3CWm/P4+opXbd66NdcVwn/DDVrImSI+9aMrC+ulpXgEUxZOg5iexDJRS 3Kjbx2WOlUaN4dbn5k9/xhXykwBS6f009Wp0GpZXct7RSyQpRnLBiX8WKXS2QKv9 d7LaxdKxS6YjFgh3OCZksqtCZMj9GiIqGJXYqij5lQF21fMp66krcPXKmhSsylu/ Mwo/ZsQOMNRTA74Dfr6jnvBE7fF+3oyXA0Yk84sQuzf6wEK8xt3RmXqqgHJ+XTZ7 GhIvtH0vIUqXTC0LU7OVt43nuSL/Z1oaXW0GHgUEYgArTS3ljshfCsL8FMjOBven cU45ph9b+2RgLSMkAbA2UMgCwU/sCK1i82e7W4wb8cYttI2E9eLEkz9kl78Ig9Rp AOB2P/Ig2/bv2R+CV8s2GjSaLI0GncqUBV7IWSALBaSloNsCCwSpxF4PiJFzc087 PWV8op71vkEI2uLzXbaZUmFJFvURcpjqulM63Z3lhMKpsCC6+FTMSuc5ljsoyJj8 b3RcPI0e5nGuKMDdE9iGVh/GLaN6GvYZcyXWNzH2v9A+RawNmLux04ToNDJbg6eM Asi+S8iT3w712fT2VQiD55Jb8s/e43tV23M3BVqpnv67C2mJwEI=
=QLTk
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Paul Wise left as an exercise for the reader:

On Mon, 2022-09-05 at 22:44 +0200, Felix Potthast wrote:

i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

Allegedly Intel CET provides weak protection, although perhaps it
improved since the 2016 analysis by grsecurity folks: https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks

ehh, CET seems like the kind of "make easy things hard" defense-in-depth
that's the cornerstone of protecting against the highest level
of attackers. ASLR and a dozen other things are in the same
boat; they make attacks more difficult to generalize and make
reliable.

also, the grsecurity folk in my experience tend to speak very
harshly regarding any other efforts in their space (and they
prefix this article with disclosure that CET can be considered
competing technology). see their comments on other software CFI
implementations [0] and kspp [1]. they explicitly sum up that
"CET is not advancing the state of the art", which indeed it
might not be, but that doesn't mean it's a useless piece of
engineering. it has a value that needs be weighed against its
cost like most technologies.

[0] https://grsecurity.net/rap_faq
[1] https://lwn.net/Articles/698891/


--
nick black -=- https://www.nick-black.com
to make an apple pie from scratch,
you need first invent a universe.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEmi//dHmU4oe+xCLxX0NADCHL+swFAmMX5fAACgkQX0NADCHL +swwXxAAm5Vei+MQ9xy3GYqg7OBXvIJRXN1k+cJlFH4y1WJAXXf3Uh9qQKq7VHYq 1lvNh3YPoa+gGerlE3ZjMPhcfnTKEdaP6xlgAmMNNzS+70lvlhX1U1w2TxE9w/dx 8FApDdPR9nZfIGcpJZf0/qqHarvw3wimRbZkkr9wOqPkmyJkO11dCQ0cdn41CcB5 bsMKfYOucHvy9enngnzp66zyn8IC8xHZkl8s6g4/AWr21YftFqLsujyT1CAhTmGH 2Ti/gS5dlSc4Aq2Cqph8is7MQaD0q5SHqiaRQ14zg9rswy8tCxITJk7jK9anabpg brk2RK7hYdpV7Jk7jlmJPmTFNq7To+dSo0DbTc1atAUOJM3NJShjYFVYQxCNkRVR GIB15pvtLnEkW2f3D/wXhz+4ICWt2No8YFj+jSr497c+IZnCSzNwebTlY4NNSHFn X8C9cG5BRyBRmZUFon1uACUnePulbozpKHtUZHJ8B90NN1j+48ZuBChq7xp97oy3 cpZY5hAJz4uZy1NNpYUyMalq+X4tN0G0+MC6Ndb0C76U9/Sk2NUgZOAsxbFaHPRY kdBUPQ1cSOHa89eHjb7djcZ3m7qGYlhOqSsmcsY0QpX6ASCVJ1EQfQUJQzD0IFdw y6I8yF9crYmC1pfz7HL13GvBnZOFirdtdwuJOmbbWX8Mr37+VPs=
=B4Qv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet G

* Felix Potthast:

i just stumbled upon the fact that debian doesn't yet make use of the
Intel CET security feature, while many other distributions
(Ubuntu, Fedora, Suse, Arch Linux) do.

There's no kernel support for userspace CET, and it's been missing for
many years now. The userspace ABi will change, but the hope is that a
glibc update is sufficient to enable it for those distributions that
are already built to spec. Reportedly, Fedora mostly works with
custom kernels (not the Fedora kernel though; it follows mainline).
There's some hope that userspace CET lands in an upcoming 6.y kernel
upstream, with a low value for y, but we've been disappointed
countless times.

The most interesting part is probably the shadow stack and the
efficient backtrace generation it enables (the full call stack, not
just the last 32 or so frames, as with LBR; and even faster than
frame-pointer traversal). This particular part of CET is already
available in AMD's Zen 3 CPUs, not just Intel's Tigerlake and later
CPUs.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)