OpenBSD gets RETGUARD (anti-ROP) for Clang x64

RETGUARD for clang (amd64) added to -current

Contributed by rueda on 2018-06-06 from the d(e)ropping-the-gadgets dept.

Todd Mortimer has committed “RETGUARD” for clang (for amd64).



Intel adds ROP-detection Branch Monitoring support to Linux


Date: Fri, 3 Nov 2017 11:00:03 -0700

This patchset adds support for Intel’s branch monitoring feature. This feature uses heuristics to detect the occurrence of an ROP(Return Oriented Programming) or ROP like(JOP: Jump oriented programming) attack. These heuristics are based off certain performance monitoring statistics, measured dynamically over a short configurable window period. ROP is a malware trend in which the attacker can compromise a return pointer held on the stack to redirect execution to a different desired instruction. Currently, only the Cannonlake family of Intel processors support this feature. This feature is enabled by CONFIG_PERF_EVENTS_INTEL_BM. Once the kernel is compiled with CONFIG_PERF_EVENTS_INTEL_BM=y on a Cannonlake system, the following perf events are added which can be viewed with perf list:
intel_bm/branch-misp/ [Kernel PMU event]
intel_bm/call-ret/ [Kernel PMU event]
intel_bm/far-branch/ [Kernel PMU event]
intel_bm/indirect-branch-misp/ [Kernel PMU event]
intel_bm/ret-misp/ [Kernel PMU event]
intel_bm/rets/ [Kernel PMU event]

A perf-based kernel driver has been used to monitor the occurrence of one of the 6 branch monitoring events. There are 2 counters that each can select between one of these events for evaluation over a specified instruction window size (0 to 1023). For each counter, a threshold value (0 to 127) can be configured to set a point at which an interrupt is generated. The entire system can monitor a maximum of 2 events(either from the same or different tasks) at any given time. Apart from the kernel driver, this patchset adds CPUID of Cannonlake processors to Intel family list and the Documentation/x86/intel_bm.txt file with some information about Intel Branch monitoring.


Microsoft MEX Windbg extension

Microsoft recently released a new Windows Windbg debugger extension called MEX. It has a variety of features, dozens of commands for many of Microsoft’s products. It appears to have been removed from the download site for a while, but it is up now, at least for the moment.


There’s a copy of the MEX help usage listed here:



a bit more on Intel CET

Intel is innovating to stop cyber attacks

Intel release new technology specifications to protect against ROP attacks


The GRSecurity post has a few more links as well:

Full disclosure: we have a competing production-ready solution to defend against code reuse attacks called RAP, see [R1], [R2]. RAP isn’t tied to any particular CPU architecture or operating system, and it scales to real-life software from Xen to Linux to Chromium with excellent performance.

In summary, Intel’s CET is mainly a hardware implementation of Microsoft’s weak CFI implementation with the addition of a shadow stack. Its use will require the presence of Intel processors that aren’t expected to be released for several years. Rather than truly innovating and advancing the state of the art in performance and security guarantees as RAP has, CET merely cements into hardware existing technology known and bypassed by academia and industry that is too weak to protect against the larger class of code reuse attacks. One can’t help but notice a striking similarity with Intel’s MPX, another software-dependent technology announced with great fanfare a few years ago that failed to live up to its many promises and never reached its intended adoption as the solution to end buffer overflow attacks and exists only as yet another bounds-checking based debugging technology.