abelrguezr/cet-shadow-stack
skills/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack/SKILL.md
Control Flow Enforcement Technology (CET) and Shadow Stack analysis for binary exploitation. Use this skill whenever the user mentions CET, shadow stack, control flow integrity, ROP/JOP attacks, binary security protections, or needs to understand how modern CPU features prevent control-flow hijacking. Trigger for security research, binary analysis, exploitation learning, or when discussing hardware-level security mitigations.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills cet-shadow-stackInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:09 AM92.2s1 file scanned
SKILL.md
- name:
- cet-shadow-stack
- description:
- Control Flow Enforcement Technology (CET) and Shadow Stack analysis for binary exploitation. Use this skill whenever the user mentions CET, shadow stack, control flow integrity, ROP/JOP attacks, binary security protections, or needs to understand how modern CPU features prevent control-flow hijacking. Trigger for security research, binary analysis, exploitation learning, or when discussing hardware-level security mitigations.
CET & Shadow Stack Analysis
A skill for understanding and analyzing Control Flow Enforcement Technology (CET) and Shadow Stack security features in binary exploitation contexts.
What This Skill Covers
- CET fundamentals: How Control Flow Enforcement Technology works at the hardware level
- Shadow Stack mechanics: The dedicated return address protection mechanism
- Attack prevention: How CET mitigates ROP and JOP attacks
- Practical analysis: Identifying and working with CET-protected binaries
Core Concepts
Control Flow Enforcement Technology (CET)
CET is a hardware-level security feature designed to prevent control-flow hijacking attacks like Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP).
Two main components:
-
Indirect Branch Tracking (IBT)
- Ensures indirect jumps and calls target only valid destinations
- Uses new instruction markers to designate legal branch targets
- Prevents arbitrary code execution through gadget chaining
-
Shadow Stack
- Maintains a protected, hidden copy of return addresses
- Separate from the regular call stack
- Validates return addresses before function returns
- Detects and blocks return address tampering
How Shadow Stack Works
The shadow stack is a dedicated stack used solely for storing return addresses.
Key properties:
- Works alongside the regular stack but remains protected
- Hidden from normal program execution
- Difficult for attackers to tamper with
- Provides integrity verification for return addresses
Protection mechanism:
- When a function is called, the return address is pushed to both the regular stack AND the shadow stack
- When the function returns, the CPU compares the return address from the regular stack against the shadow stack
- If they don't match, the program terminates or takes security measures
- This prevents attackers from overwriting return addresses to hijack control flow
Attack Prevention
ROP and JOP attacks work by:
- Hijacking control flow through vulnerabilities
- Overwriting pointers or return addresses on the stack
- Directing execution to existing code gadgets
- Chaining gadgets to perform arbitrary operations
How CET stops these attacks:
| Attack Vector | CET Countermeasure | |--------------|-------------------| | Arbitrary gadget execution | IBT requires explicit target markers | | Return address overwrite | Shadow stack detects discrepancies | | Control flow hijacking | Hardware-level validation blocks invalid branches |
Practical Analysis
Identifying CET-Protected Binaries
When analyzing a binary, look for these indicators:
ELF headers and sections:
- Check for CET-related sections in the binary
- Look for ENDBRANCH instructions (0xF3 0x0F 0x1E 0xFA)
- Examine the
.note.gnu.propertysection for CET flags
Command-line tools:
# Check for CET support
readelf -n binary | grep -i cet
# Look for ENDBRANCH instructions
objdump -d binary | grep -i endbranch
# Check binary properties
readelf -p binary | grep -i property
Understanding the Protection Model
What CET protects:
- ✅ Return addresses from stack corruption
- ✅ Indirect calls/jumps to invalid targets
- ✅ ROP chain execution
- ✅ JOP chain execution
What CET does NOT protect:
- ❌ Direct memory corruption (use ASLR, DEP, etc.)
- ❌ Format string vulnerabilities
- ❌ Integer overflows
- ❌ Logic vulnerabilities
Working with CET in Exploitation
When analyzing CET-protected targets:
-
First, verify CET is actually enabled
- Check compilation flags
- Verify runtime enforcement
- Some binaries may have CET compiled but not enforced
-
Understand the attack surface
- CET only protects control flow, not data integrity
- Look for vulnerabilities that don't require control flow hijacking
- Consider partial overwrites or data-only attacks
-
Consider bypass scenarios
- Shadow stack corruption (requires separate vulnerability)
- IBT bypass through valid ENDBRANCH targets
- Side-channel attacks (research-level)
Common Questions
"What is CET?"
CET is Intel's Control Flow Enforcement Technology, a hardware security feature that prevents control-flow hijacking attacks through Indirect Branch Tracking and Shadow Stack mechanisms.
"How does shadow stack differ from regular stack?"
The shadow stack is a protected, CPU-managed stack that stores only return addresses. It's separate from the regular stack and cannot be accessed or modified by normal program instructions.
"Can CET be bypassed?"
CET significantly raises the bar for exploitation but isn't invulnerable. Bypasses typically require:
- Additional vulnerabilities to corrupt the shadow stack
- Finding valid ENDBRANCH targets for IBT bypass
- Exploiting implementation bugs in CET itself
"Should I use CET in my binaries?"
Yes. CET provides strong protection against common exploitation techniques with minimal performance overhead. Enable it via compiler flags (-fcf-protection=full for GCC/Clang).
Related Protections
CET works alongside other security features:
| Protection | What It Does | Works With CET? | |------------|-------------|-----------------| | ASLR | Randomizes memory addresses | ✅ Yes | | DEP/NX | Marks memory as non-executable | ✅ Yes | | Stack Canaries | Detects stack buffer overflows | ✅ Yes | | PIE | Position-independent executable | ✅ Yes |
Research Context
When to use this skill:
- Analyzing binaries for security research
- Learning about modern CPU security features
- Understanding exploitation limitations
- Security assessment of software
- Academic study of control flow integrity
Key references:
- Intel CET documentation
- Binary exploitation tutorials covering modern mitigations
- Security research papers on control flow integrity
Quick Reference
CET Components:
- IBT: Validates indirect branch targets
- Shadow Stack: Protects return addresses
Attack Prevention:
- Blocks ROP/JOP chains
- Detects return address corruption
- Requires valid ENDBRANCH markers
Analysis Commands:
readelf -n binary- Check CET propertiesobjdump -d binary | grep endbranch- Find ENDBRANCH instructionschecksec --file=binary- View all protections
Remember: CET is a powerful defense but not a silver bullet. Always consider the full security context and look for vulnerabilities that don't rely on control flow hijacking.
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026