The Intel Control-Flow Enforcement Technology.
Intel control-flow enforcement technology (CET) was built with CPU-level security capabilities to help protect against common malware attack methods that have been a challenge to mitigate with software alone.
Intel CET is designed to protect against the misuse of legitimate code through control-flow hijacking attacks – widely used techniques in large classes of malware.
The security capability offers software developers two key capabilities to help defend against control-flow hijacking malware — indirect branch tracking and shadow stack.
Indirect branch tracking delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods.
Shadow stack delivers return address protection to help defend against return-oriented programming (ROP) attack methods. These types of attack methods are part of a class of malware referred to as memory safety issues and include tactics such as the corruption of stack buffer overflow and use-after-free.
Garrison stated according to TrendMicro’s Zero Day Initiative (ZDI), 63.2 per cent of the 1,097 vulnerabilities disclosed by ZDI from 2019 to today were memory safety related. These malware types target operating systems (OS), browsers, readers, and many other applications.
“It takes deep hardware integration at the foundation to deliver effective security features with minimal performance impact,” he stated. “We recognised that scaling OS and application adoption to truly solve the problem would require industry-wide collaboration.”
Intel and Microsoft have been working closely to prepare Windows 10 and developer tools so applications and the industry at large can offer better protection against control-flow hijacking threats, said Garrison.
