Intel To Ramp Up Anti-Malware Hardware Security Measures With New Control-Flow Enforcement Technology Starting With Tiger Lake

Intel is ramping the hardware-level security of its CPUs with a brand new security capability starting with the mobile Tiger Lake family, the company announced this week.

Control-Flow Enforcement Technology (Intel CET), as it’s been named, intends to add yet another layer of security to Intel’s existing array of security measures in its chips. Intel CET is designed to protect against the most common malware attack methods that software alone cannot adequately defend against.

According to a news brief penned by Intel’s Tom Garrison, Intel CET will act as a barrier to the ‘misuse of legitimate code through control-flow hijacking attacks.’ In particular, CET acts on two fronts: indirect branch tracking and shadow stack.

As Garrison explains, ‘Indirect branch tracking delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods. Shadow stack delivers return address protection to help defend against return-oriented programming (ROP) attack methods. These types of attack methods are part of a class of malware referred to as memory safety issues, and include tactics such as the corruption of stack buffer overflow and use-after-free.’

According to Intel, these types of malware attacks make up to 63.2% of known vulnerabilities disclosed by ZDI from 2019 to today. They target operating systems, readers, browsers, and numerous other applications.

Intel is also teaming up with Microsoft to ensure OS-level integration of Intel CET. In that spirit, Microsoft has pieced together a system to support CET dubbed Hardware-enforced Stack Protection in Windows 10, which is already available for preview via Windows 10 Insider Previews. Hardware-enforced Stack Protection will function with all chipsets compliant with Intel CET specifications.

As Microsoft’s director of enterprise and OS security David Weston explains, ‘as an opt-in feature in Windows 10, Microsoft has worked with Intel to offer hardware-enforced stack protection that builds on the extensive exploit protection built into Windows 10 to enforce code integrity as well as terminate any malicious code.’

Intel plans to incorporate the Intel CET technology into future desktop and server platforms.