[$] Kernel support for control-flow enforcement

As attackers have lost the easy ability to execute code stored in writablememory, they have increasingly turned to return-orientedprogramming (ROP) and related techniques to compromise vulnerablesystems. ROP attacks use the code that is present in the program underattack and are hard to defend against in software. In response, hardwarevendors are developing ways to defeat ROP-like techniques at a lowerlevel. One of the results is Intel's Control-FlowEnforcement Technology (CET) [PDF], which adds two mechanisms (shadowstacks and indirect-branch tracking) that are intended to resist theseattacks. Yu-cheng Yu recently posted a set of patches showing how this technology is to be used to defend Linuxsystems.