Intel Tiger Lake CPUs Gets Malware Protection
Intel's new mobile CPUs, code named Tiger Lake, will feature an anticipated security layer, called Control-flow Enforcement Technology to protect against common malware attacks. CET protects against attacks on processors' control flow, which refers to the order in which different functions calls are executed. Previously, hackers have targeted control flow in attacks to hijack the processes and modify the instructions. This could allow them to execute arbitrary code on victims' systems.
Intel CET has CPU-level security capabilities to help protect against common malware attacks that have been a challenge to mitigate with software alone. These types of attacks are part of a class of malware referred to as memory-safety issues, and include tactics such as the corruption of stack buffer overflow and use-after-free. Intel’s Tiger Lake CPUs are the first to come with Intel CET, which will fight control-flow hijacking attacks by adding two types of protection.
The first is Indirect Branch Tracking, which guards against attacks called call-oriented programming or jump-oriented programming. These attacks occur when short code sequences that end in specific call and jump instructions are located and chained into a specific order, in order to execute the hacker's payloads. IBT prevents this by creating a new instruction, ENDBRANCH, which tracks all indirect call and jump instructions to detect any control-flow violations.
The second protection is shadow stack. Shadow stack helps against return-oriented programming attacks. These attacks center around return instructions in a control flow, which are intended to fetch the address of the next instruction from the stack, and execute instructions from that address. In ROP attacks, a hacker abuses these return instructions to weave together a malicious code flow. Shadow stack prevents this by adding return address protection. When shadow stacks are enabled, the CALL instruction on a processor pushes the return address on both the data stack and shadow stack and make sure that they match.
Intel released the first specification of CET in 2016. Various software makers have added support for the technology into their products, including Microsoft in its Hardware-enforced Stack Protection for Windows. CET is being released for Intel’s mobile lineup. CET will be available on desktop and server platforms later. Intel is preparing for volume production of its Tiger Lake chipset, and expects to being shipping the processors to OEMs mid-year.