Symposium sur la sécurité des technologies de l'information et des communications

Intel and Microsoft worked together, with other players from the industry, to implement a mechanism named Intel CET, introducing a new mitigation, the shadow stack. Effective both in user mode and kernel mode, this mitigation has been designed to defeat exploits relying on control-flow hijacking, by overriding return addresses on the stack. In this paper, we will discuss the role of this mitigation. We will also deep dive into the implementation of this mitigation in the Windows kernel. We will explain how the Windows operating system leverage on virtualization technics to protect the shadow stack integrity, and to ensure this mitigation cannot be disabled on a live system, even if an attacker possess strong primitives such as a read/write in the kernel.