On Fri, Jun 26, 2026 at 10:48:46AM -0700, Xiang Mei wrote: > > - The displacement is attacker-chosen (via the immediates) up to 0x100ff, > > so the pivot can clear any guard narrower than that in one step. > > - ENTER is reachable as a gadget, so a pivot of this size is available > > without depending on register state at the hijack site. > > - The pivot happens after the control transfer, so it is not constrained > > by forward-edge CFI (kCFI / FineIBT).
> Please ignore this line; it is not related since we assume we already > have a CFH primitive. Sorry for the confusion. So I am still confused by all this. CFI does remove a ton of CFH primitives. Until we have Shadow Stacks sorted, ROP will obviously be the main alternative, but I'm really struggling to justify adding 16 guard pages rather than going after any actual control flow hijacking primitives. I mean, if you have a reliable CFH, we should be fixing that. But somehow I'm thinking that if you do have one, ENTER isn't going to be the worst of it. Or am I missing something here?

