Intel has announced the launch of a new security capability, Intel Control-Flow Enforcement Technology. Intel CET will be first available on Intel’s upcoming mobile processor code-named Tiger Lake. It delivers CPU-level security capabilities to help protect against common malware attack methods that have been a challenge to mitigate with software alone.
Intel CET is designed to protect against the misuse of legitimate code through control-flow hijacking attacks. Intel CET offers software developers two key capabilities to help defend against control-flow hijacking malware: indirect branch tracking and shadow stack. Indirect branch tracking delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods. Shadow stack delivers return address protection to help defend against return-oriented programming (ROP) attack methods. These types of attack methods are part of a class of malware referred to as memory safety issues and include tactics such as the corruption of stack buffer overflow and use-after-free.
Intel and Microsoft have been working closely to prepare Windows 10 and developer tools so applications and the industry at large can offer better protection against control-flow hijacking threats.
Microsoft’s upcoming support for Intel CET in Windows 10 is called Hardware-enforced Stack Protection, and a preview of it is available today in Windows 10 Insider Previews. This new Hardware-enforced Stack Protection feature only works on chipsets with Intel CET instructions. It relies on a new CPU architecture that is compliant with Intel CET specifications. For applications running on an OS that supports Intel CET, users can expect detailed guidance from our partners on how applications “opt-in” for protection.
The significance of Intel CET is that it is built into the microarchitecture and available across the family of products with that core. While Intel vPro platforms with Intel Hardware Shield already meet and exceed the security requirements for Secured-core PCs, Intel CET further extends advanced threat protection capabilities. Intel CET is also expected to be available in future desktop and server platforms.
