2025-10-25 –, Talk 1
Intel's CET Shadow Stack is a CPU feature aimed at preventing Control-Flow Hijacking shenanigans by implementing a redundancy copy of the process stack, which can be verified for integrity through the program execution. Supporting CET Shadow Stacks in Linux applications is something that took a long long time to be implemented and deployed, and given the magnitude of changes required both in the kernel and in the toolchain, there was a reasonable chance that security details could be missed in the process. In this talk we'll cover the interactions between a kernel engineer and a security researcher regarding a last minute security finding that ended-up surfacing an intricate trade-off discussion around safety, performance and compatibility. These discussions led into redesigns of the shadow stack support at the brink of its release and are still relevant as new feature designs still stumble on the gritty details of these trade-offs.
Besides the technical scope, this talk aims on emphasizing how the collaborations between software engineers and security researchers can be fruitful, fun and crucial to achieving more reliable security outcomes.
Open source warriors, security ninjas and apprentices, kernel sorcerers, toolchain forgers, low level dwellers.
João Moreira is a systems security researcher passionate about compilers, OS internals, and digging deep into low-level bugs. At Microsoft, he works on securing cloud infrastructure by reviewing service designs, building secure architectures, and developing defenses against emerging threats. Prior to Microsoft, João worked at Intel, SUSE Linux, and spent time in academia, where he focused on low-level systems topics like control-flow integrity and binary live patching. His research was presented at conferences such as Black Hat Asia, the Linux Plumbers Conference, and the Linux Security Summit. Every now and then, João contributes to open-source projects like the LLVM compiler and the Linux kernel. More recently, he’s been trying to figure out this AI thingy — but he still struggles to write short conference bios with the help of chatbots.