Intel CET
What is Intel CET?
Intel CETIntel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits.
Intel CET, introduced with Tiger Lake (11th Gen) and 11th-gen Xeon, pairs two complementary protections. The shadow stack stores return addresses in a CPU-protected page that user code cannot write directly; mismatches on RET generate a #CP exception. Indirect Branch Tracking (IBT) requires every legal indirect-branch target to start with an ENDBR instruction, blocking jumps into the middle of functions or gadgets. Operating systems opt processes in via PROC_CET_* or SetProcessMitigationPolicy; toolchains add ENDBR via -fcf-protection=full. CET defeats classic ROP/JOP at hardware speed and complements ASLR, DEP, stack canaries, and software CFI.
● Examples
- 01
Windows 11 hardware-enforced stack protection using CET on 11th-gen Intel Core.
- 02
Linux user-mode shadow stack (USER_SHSTK) enabled for hardened binaries.
● Frequently asked questions
What is Intel CET?
Intel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits. It belongs to the Application Security category of cybersecurity.
What does Intel CET mean?
Intel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits.
How does Intel CET work?
Intel CET, introduced with Tiger Lake (11th Gen) and 11th-gen Xeon, pairs two complementary protections. The shadow stack stores return addresses in a CPU-protected page that user code cannot write directly; mismatches on RET generate a #CP exception. Indirect Branch Tracking (IBT) requires every legal indirect-branch target to start with an ENDBR instruction, blocking jumps into the middle of functions or gadgets. Operating systems opt processes in via PROC_CET_* or SetProcessMitigationPolicy; toolchains add ENDBR via -fcf-protection=full. CET defeats classic ROP/JOP at hardware speed and complements ASLR, DEP, stack canaries, and software CFI.
How do you defend against Intel CET?
Defences for Intel CET typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Intel CET?
Common alternative names include: CET, Indirect Branch Tracking, IBT.
● Related terms
- appsec№ 1028
Shadow Stack
A shadow stack is a separate, protected stack that stores copies of return addresses so the CPU can detect tampering with the regular stack and block ROP attacks.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 925
Return-Oriented Programming
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.
- appsec№ 303
DEP
Data Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap.
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- appsec№ 1095
Stack Canary
A stack canary is a secret value placed between a function's local buffers and its saved return address to detect stack buffer overflows before they hijack control flow.
● See also
- № 581KASLR
- № 1058SMEP / SMAP
- № 671Memory-Safe Languages