Is shadow-stack using for anti-BufferOverflows only?

Question

I have some questions about shadow stack conception:

1. Is shadow-stack conception used for bufferoverflows preventions only?
2. Is stack-canary adjacent with shadow-stack?
3. What will happen if return addresses of stack and shadow-stack do not match(is shadow-stack has higher priority or sigfault will raised)?

Answer 1

Intel CET protects against Return Oriented Programming, not buffer overflows per se. Its job is to make sure that each RET instruction returns to the same address that its corresponding CALL instruction came from, and that's it. To do this, the hardware maintains a memory section called the "shadow stack" that is out of reach of the program itself. Each CALL instruction pushes the appropriate return address onto the shadow stack, and each RET pops the top value off the shadow stack and crashes the process if that value is not equal to the return value on the actual stack.

Return Oriented Programming is a way to get around DEP (or NX) technology. Since with DEP you can't just inject executable code any more, you can instead use ROP to overwrite return addresses and string together fragments of the program's own code in an order that makes it do your bidding.

Buffer overflows are used to inject payloads into a process's memory space, and those payloads can certainly be ROP payloads. But there's no fundamental relation between buffer overflows and Intel CET.

Answer 2

I don't know much about CET, but until you get a more authorative answer, this might help:

1. It works with other memory corruption flaws (e.g. user after free). But its only purpose is security.
2. Stack canary is a totally separate technique, and you'd normally have both enabled.
3. The CPU will raise an interrupt. The OS can decide how to handle this, although terminating the process seems the only sensible action.