indirect branch tracking
{{Short description|Control flow integrity technology}}
Indirect branch tracking (IBT), also known as branch target identification (BTI), is a control flow integrity mechanism implemented on some Intel x86-64 and ARM-64 processors. IBT is designed to protect against computer security exploits that use indirect branch instructions to jump into code in unintended ways, such as return-oriented programming.
It creates a special "branch target" instructions that have no function other than to mark a location as a valid indirect branch target, with the processor capable of being put into a mode where it will raise an exception if an indirect branch is made to a location without a branch target instruction.
Implementations
On Intel processors, the technique is known as Indirect Branch Tracking (IBT), with the "end branch" instructions {{tt|endbr32}} and {{tt|endbr64}} acting as the branch target instructions for 32- and 64-bit mode respectively.{{Cite web |last=Corbet |first=Jonathan |date=March 31, 2022 |title=Indirect branch tracking for Intel CPUs |url=https://lwn.net/Articles/889475/ |access-date=2023-07-14 |website=lwn.net}}{{Cite web |title=Indirect Branch Tracking - 006 - ID:655258 {{!}} 12th Generation Intel® Core™ Processors |url=https://edc.intel.com/content/www/us/en/design/ipla/software-development-platforms/client/platforms/alder-lake-desktop/12th-generation-intel-core-processors-datasheet-volume-1-of-2/006/indirect-branch-tracking/ |access-date=2024-02-23 |website=edc.intel.com}} IBT is part of the Intel Control-Flow Enforcement Technology first released in the Tiger Lake generation of processors.{{Cite web |title=Intel brings novel CET technology to Tiger Lake mobile CPUs |url=https://www.zdnet.com/article/intel-brings-novel-cet-technology-to-tiger-lake-mobile-cpus/ |access-date=2024-02-23 |website=ZDNET |language=en}}
The similar technology on ARM-64 processors is called Branch Target Identification (BTI), with the instruction, also called {{tt|BTI}}, having three variants that make it check only for jumps, or function calls, or for both.{{Cite web |date=December 2021 |title=Documentation – Arm Developer |url=https://developer.arm.com/documentation/ddi0596/2021-12/Base-Instructions/BTI--Branch-Target-Identification- |access-date=2023-07-14 |website=developer.arm.com}}{{Cite web |title=Documentation – Arm Developer |url=https://developer.arm.com/documentation/100076/0100/A64-Instruction-Set-Reference/A64-General-Instructions/BTI?lang=en |access-date=2024-02-23 |website=developer.arm.com}}