Indirect branch tracking explained

Indirect branch tracking (IBT), also known as branch target identification (BTI), is a control flow integrity mechanism implemented on some Intel x86-64 and ARM-64 processors. IBT is designed to protect against computer security exploits that use indirect branch instructions to jump into code in unintended ways, such as return-oriented programming.

It creates a special "branch target" instructions that have no function other than to mark a location as a valid indirect branch target, with the processor capable of being put into a mode where it will raise an exception if an indirect branch is made to a location without a branch target instruction.

Implementations

On Intel processors, the technique is known as Indirect Branch Tracking (IBT), with the "end branch" instructions and acting as the branch target instructions for 32 and 64 bit mode respectively.[1] [2] IBT is part of the Intel Control-Flow Enforcement Technology first released in the Tiger Lake generation of processors.[3]

The similar technology on ARM-64 processors is called Branch Target Identification (BTI), with the instruction, also called, having three variants that make it check only for jumps, or function calls, or for both.[4] [5]

Notes and References

  1. Web site: Corbet . Jonathan . March 31, 2022 . Indirect branch tracking for Intel CPUs . 2023-07-14 . lwn.net.
  2. Web site: Indirect Branch Tracking - 006 - ID:655258 12th Generation Intel® Core™ Processors . 2024-02-23 . edc.intel.com.
  3. Web site: Intel brings novel CET technology to Tiger Lake mobile CPUs . 2024-02-23 . ZDNET . en.
  4. Web site: December 2021 . Documentation – Arm Developer . 2023-07-14 . developer.arm.com.
  5. Web site: Documentation – Arm Developer . 2024-02-23 . developer.arm.com.