Arbitrary RW means I can have a callchain that goes from C++FuncA -> JITedCodeB -> C++FuncC, and I can then make the JIT engine garbage-collect JITedCodeB and put different code there. Not violating any CFI constraints, but executing arbitrary code.

In short: CFI is bunk in an environment with a JIT that ever reuses +x address space.

Oh cool. You are right. I haven't thought about that attack. Thanks! :)

51%+ of credit for this needs to go to @ifsecure

Ah no, the return-after-free (as I like to call it) idea was entirely your own. My sole contribution was to drag you into a meeting.

I remember this being very much developed in ping-pong, so I will continue to attribute 51% to you :)

@grsecurity ROP attacks return flow. So saying that there is no effective mitigation against ROP might not be entirely wrong by Intel. CET shadow stack does address ROP in fine grained manner and deterministically. And assume arbitrary read/write primitive in attacker hands. /1

@grsecurity In your analysis you mentioned that attacker can use RELRO pages and perform writes to manufacture RO but dirty (thus shadow stack) pages. CET prevents that by faulting ; CR0.WP can't be cleared if CR4.CET = 1. Setting CR4.CET while CR0.WP=0 will fault. /2

RELRO pages have nothing whatsoever to do with CR0.WP. it's a pure sw construct that through syscalls ends up creating the exact pte rights that also mark shadow stacks (unless said sw construct takes care of preventing that, hw can't do anything about it).

Hmm. And s/w (kernel) marks Relro pages read and dirty, so that they get backed by swap space?