Intel bore the brunt of criticism for a series of side-channel vulnerabilities affecting decades of processors, namely Spectre and Meltdown, along with subsequent software patches that can negatively impact performance in some instances. In partial response to this, Intel is working on hardware-level safeguards for its future CPUs. Starting with Tiger Lake, we will see one such implementation.
The new security capability is called Intel Control-Flow Enforcement Technology (CET). As the name implies, it is intended to prevent hackers from leveraging control-flow hijacking attacks, which essentially entails a wide range of malware that abuses legitimate code. According to Intel, CET will “help protect against common malware attack methods that have been a challenge to mitigate with software alone.”
“As more proactive protections are built into the Windows OS, attackers are shifting their efforts to exploit memory safety vulnerabilities by hijacking the integrity of the control flow,” said David Weston, director of Enterprise and OS Security at Microsoft. “As an opt-in feature in Windows 10, Microsoft has worked with Intel to offer hardware-enforced stack protection that builds on the extensive exploit protection built into Windows 10 to enforce code integrity as well as terminate any malicious code.”
Though CET is part of the Tiger Lake microarchitecture, it also requires support from the OS. In Windows 10, support for CET is called “Hardware-enforced Stack Protection,” and it is currently being tested in the Windows Insider program.
How important is this? Intel points to a Trend Micro report indicating that nearly two-thirds of the 1,097 zero-day vulnerabilities disclosed from 2019 to today were related to memory safety.
“These malware types target operating systems (OS), browsers, readers and many other applications. It takes deep hardware integration at the foundation to deliver effective security features with minimal performance impact,” Intel says.
Tiger Lake will be the first CPU series to feature CET, but not the last. Intel says CET will also ship in future desktop and server platforms as well.