CET supported by default (#42839)

Author: gewarren

docs/core/compatibility/9.0.md

@@ -60,7 +60,13 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 
 | Title                                                                             | Type of change      | Introduced version |
 |-----------------------------------------------------------------------------------|---------------------|--------------------|
-| [Deprecated desktop Windows/macOS/Linux MonoVM runtime packages](deployment/9.0/monovm-packages.md) | Source incompatible | Preview 7          |
+| [Deprecated desktop Windows/macOS/Linux MonoVM runtime packages](deployment/9.0/monovm-packages.md) | Source incompatible | Preview 7 |
+
+## Interop
+
+| Title                                                  | Type of change      | Introduced version |
+|--------------------------------------------------------|---------------------|--------------------|
+| [CET supported by default](interop/9.0/cet-support.md) | Binary incompatible | Preview 6          |
 
 ## JIT compiler
 
@@ -73,7 +79,7 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 
 | Title                                                                             | Type of change      | Introduced version |
 |-----------------------------------------------------------------------------------|---------------------|--------------------|
-| [HttpClientFactory logging redacts header values by default](networking/9.0/redact-headers.md) | Behavioral change   | RC 1               |
+| [HttpClientFactory logging redacts header values by default](networking/9.0/redact-headers.md) | Behavioral change | RC 1    |
 | [HttpListenerRequest.UserAgent is nullable](networking/9.0/useragent-nullable.md) | Source incompatible | Preview 1          |
 
 ## SDK and MSBuild

docs/core/compatibility/interop/9.0/cet-support.md

@@ -0,0 +1,44 @@
+---
+title: "Breaking change: CET supported by default"
+description: Learn about the breaking change in interop in .NET 9 where CET is supported by default.
+ms.date: 10/04/2024
+---
+# CET supported by default
+
+`apphost` and `singlefilehost` are now marked as Intel CET—compatible (they're compiled with the `/CETCOMPAT` option). This change was made to enhance security of .NET applications. However, it imposes a limitation on the shared libraries that .NET apps can load and interop with. Libraries aren't allowed to set thread context to a location with an instruction pointer that's not present on the shadow stack or in a table of allowed continuation addresses for exception handling.
+
+## Previous behavior
+
+Previously, shared libraries loaded into the .NET process were able to set thread context using [SetThreadContext](/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext), [RtlRestoreContext](/windows/win32/api/winnt/nf-winnt-rtlrestorecontext)/`NtContinue`, or their exception handlers to any location in the process address space.
+
+## New behavior
+
+Starting in .NET 9, shared libraries loaded into the .NET process are only allowed to set thread context using [SetThreadContext](/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext), [RtlRestoreContext](/windows/win32/api/winnt/nf-winnt-rtlrestorecontext)/`NtContinue`, or their exception handlers to locations that are either:
+
+- Present on the shadow stack.
+- In a table of allowed continuation addresses for exception handling (generated by the `/EHCONT` compiler option or the `SetProcessDynamicEHContinuationTargets` API).
+
+If libraries try to change a thread context to any other location, the process is terminated.
+
+## Version introduced
+
+.NET 9 Preview 6
+
+## Type of breaking change
+
+This change can affect [binary compatibility](../../categories.md#binary-compatibility).
+
+## Reason for change
+
+Enabling CET enhances the security of .NET applications by adding hardware-enforced stack protection that offers robust protection against ROP exploits (return-oriented programming).
+
+## Recommended action
+
+Workarounds:
+
+- You can opt out of CET by adding `<CETCompat>false</CETCompat>` to your app's project file (for example, *.csproj* file).
+- Use the Windows Security app or a group policy to opt out of the hardware-supported stack enforcement for the specific .NET application. For more information, see [Enable exploit protection](/defender-endpoint/enable-exploit-protection).
+
+## Affected APIs
+
+- N/A

docs/core/compatibility/toc.yml

@@ -60,6 +60,10 @@ items:
             items:
               - name: Deprecated desktop Windows/macOS/Linux MonoVM runtime packages
                 href: deployment/9.0/monovm-packages.md
+          - name: Interop
+            items:
+              - name: CET supported by default
+                href: interop/9.0/cet-support.md
           - name: JIT compiler
             items:
               - name: Floating point to integer conversions are saturating
@@ -1620,6 +1624,10 @@ items:
             href: globalization.md
       - name: Interop
         items:
+          - name: .NET 9
+            items:
+              - name: CET supported by default
+                href: interop/9.0/cet-support.md
           - name: .NET 8
             items:
               - name: CreateObjectFlags.Unwrap only unwraps on target instance