Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Linux May Flip On Indirect Branch Tracking By Default (IBT) | #linux | #linuxsecurity | #hacking | #aihp

A new patch floated by a Google Chrome OS / Linux kernel engineer would enable support for the Intel-led Indirect Branch Tracking (IBT) by default as part of the standard kernel configuration for this security feature.

Indirect Branch Tracking is part of Intel Control-Flow Enforcement Technology (CET) with Tigerlake CPUs and newer. IBT provides indirect branch protection to defend against JOP/COP attacks by ensuring indirect calls land on an ENDBR instruction.

Indirect Branch Tracking on the kernel side was upstreamed for Linux 5.18 and also requires a newer version of the GCC or LLVM Clang code compilers.

While IBT is already enabled by default for some distribution vendor kernels, Google’s Kees Cook has suggested it be enabled by default for x86/x86_64 Linux kernel builds.

With this patch he justifies the default change as:

This security defense is runtime enabled via CPU ID, so build it in by default. It will be enabled if the CPU supports it. The build takes 2 seconds longer, which seems a small price to pay for gaining this coverage by default.

We’ll see if this default kernel security change gets picked up for the v6.1 cycle this autumn.

Original Source link

Click Here For The Original Source.


National Cyber Security