Intel adds CPU-level malware protection to Tiger Lake processors

Intel today announced a new CPU-level security capability known as Control-Flow Enforcement Technology (Intel CET) that offers protection against malware using control-flow hijacking attack methods on devices with Intel's future Tiger Lake mobile processors.

"Intel CET is designed to protect against the misuse of legitimate code through control-flow hijacking attacks–widely used techniques in large classes of malware," Intel VP & GM of Client Security Strategy and Initiatives Tom Garrison said.

"Intel has been actively collaborating with Microsoft and other industry partners to address control-flow hijacking by using Intel’s CET technology to augment the previous software-only control-flow integrity solutions," Intel Fellow, Client Computing Group, Baiju Patel added.

ROP, JOP, and COP attacks

Intel CET (tech spec available here) provides two new key capabilities to help guard against control-flow hijacking malware: Shadow Stack (SS) and Indirect Branch Tracking (IBT).

IBT defends against attacks using jump/call oriented programming (JOP and COP), while SS protects against return-oriented programming (ROP) attacks.

Return Oriented Programming (ROP), Jump Oriented Programming (JOP), and Call Oriented Programming (COP) are techniques used by adversaries to bypass software and operating systems' built-in anti-malware protections, techniques widely used "in large classes of malware."

Attacks using these techniques can be especially hard to detect or block since the malicious actors who employ them use already existing code from executable memory to change how a program behaves.

Intel CET
Source: Intel

As part of ROP attacks, the adversaries will use RET (return) instructions to execute arbitrary attack code flows to either escape sandboxes or escalate privileges by "using already-executable bytes of the original program" with the same permissions.

Intel CET shields against such attacks with the help of a Shadow Stack used by CET's state machine to detect and block attacks by reporting an exception to the OS when it detects any mismatches between the address on the shadow and the attacked program's data stack.

"Similarly, other indirect branch instructions, such as Call and Jump indirect can be used to launch variant attacks -called COP (call oriented programming) or JOP (jump oriented programming)," Patel further details.

"CET also adds an Indirect Branch Tracking capability to provide software the ability to restrict COP/JOP attacks."

Intel CET also extends threat protection capabilities on Intel vPro platforms that come with Intel Hardware Shield tech designed to defend against firmware-level attacks.

Windows 10 CPU-level malware protection

Intel has worked closely with Microsoft to include support for Intel CET in the Windows 10 OS and in developer tools to provide more reliable protection against control-flow hijacking threats by expanding on the already available software-only control-flow integrity solutions.

Intel CET in Windows 10 is known as Hardware-enforced Stack Protection, and a preview is available starting today for Windows 10 Insiders.

"The significance of Intel CET is that it is built into the microarchitecture and available across the family of products with that core," Garrison added.

"While Intel vPro platforms with Intel Hardware Shieldalready meet and exceed the security requirements for Secured-core PCs, Intel CET further extends advanced threat protection capabilities."

"Intel’s CET, when used properly by software, is a big step in helping to prevent exploits from hijacking the control-flow transfer instructions," Patel explained.

In the future, Intel CET will also be available on other desktop and server platforms to provide hardware-level protection against current and future malware threats.

Related Articles:

Phoenix UEFI vulnerability impacts hundreds of Intel PC models

New Unfurling Hemlock threat actor floods systems with malware

Windows 10 KB5039299 update released with 10 changes or fixes

Snowblind malware abuses Android security feature to bypass security

New Medusa malware variants target Android users in seven countries