Intel has introduced a new set of processor-level security features to help protect against a specific type of attack that takes advantage of memory safety vulnerabilities in browsers and operating systems.
The new protections, known as Control-Flow Enforcement Technology (CET), are part of a push by Intel to bring more security down to the hardware level rather than relying on the OS and third-party applications to provide defenses. CET is built into the company’s Tiger Lake mobile processors, which are due for release later this year, and will make its way into server and desktop processors later. The idea behind the introduction of CET is to create a hardware-level barrier to return-oriented programming attacks, a technique in which attackers build a malicious code flow from return instructions on the stack. The attack uses bytes that are already in the computer’s memory and are executable.
“So, with a ROP attack, the attacker can execute arbitrary code composed via gadgets using the existing program inheriting all the permissions of the program. This makes these attacks effective and hard to detect and potentially allow an attacker to escalate privileges or break out of process sandboxes. These types of malware target operating systems (OS), browsers, readers and many other applications, and it takes deep integration with hardware at the foundation to deliver more effective protection with minimal performance impact,” Intel’s technical paper on the new protection says.
ROP attacks have been in use for many years and software makers have introduced a number of mitigations to help prevent or minimize the effects of successful exploits. MIcrosoft specifically has been adding mitigations for common ROP techniques to Windows consistently as new attacks have emerged, but the techniques continue to evolve, so defenses must, as well. As with many other areas of security, the combination of software and hardware approaches is often more effective than one without the other.
"Because the code is legitimate, it makes control flow hijacking difficult to see."
“As more proactive protections are built into the Windows OS, attackers are shifting their efforts to exploit memory safety vulnerabilities by hijacking the integrity of the control flow,” said David Weston, director of Enterprise and OS Security at Microsoft. “As an opt-in feature in Windows 10, Microsoft has worked with Intel to offer hardware-enforced stack protection that builds on the extensive exploit protection built into Windows 10 to enforce code integrity as well as terminate any malicious code.”
But it’s not just Windows machines that will have the benefit of the new protections once the CET-enabled processors are available.
“We've also been working with the Linux and developer communities. We’ve been making sure they understand how Intel CET works and that they are taking advantage of it in their respective products,” Tom Garrison, vice president of the Client Computing Group and General Manager of Security Strategies and Initiatives at Intel, said in an email.
Although some of the software-based defenses and mitigations that Microsoft and other software makers have been effective, the risk of ROP and jump-oriented programming (JOP) exploit attempts is still quite real.
“ROP and JOP malware attacks can be particularly hard to detect or prevent because the attacker uses existing code running from executable memory in a creative way to change program behavior. Many software-based detection and prevention techniques have been developed with limited success. Because the code is legitimate, it makes control flow hijacking difficult to see,” Garrison said.