Intel Adds Anti-Malware Protection in Tiger Lake CPUs

2020-06-15T19:46:40
ID THREATPOST:12C924FA8369F488880FB7860D2438A8
Type threatpost
Reporter Lindsey O'Donnell
Modified 2020-06-15T19:46:40

Description

Intel’s upcoming class of mobile CPUs, code named “Tiger Lake,” will feature a long anticipated security layer, called Control-flow Enforcement Technology (CET), which aims to protect against common malware attacks.

CET protects against attacks on processors’ control flow, which refers to the order in which different functions calls are executed. Previously, attackers have targeted control flow in attacks where they hijack the processes and modify the instructions. This could potentially allow them to execute arbitrary code on victims’ systems.

“Intel CET delivers CPU-level security capabilities to help protect against common malware attack methods that have been a challenge to mitigate with software alone,” said Tom Garrison, vice president and general manager of Client Security Strategy and Initiatives with Intel, in a Monday post. “These types of attack methods are part of a class of malware referred to as memory-safety issues, and include tactics such as the corruption of stack buffer overflow and use-after-free.”

Intel’s upcoming Tiger Lake CPUs (which were first announced in January) are the first to come equipped with Intel CET, which will battle control-flow hijacking attacks by adding two types of protection.

The first is Indirect Branch Tracking (IBT), which defends against attacks called call-oriented programming or jump-oriented programming (COP and JOP). These types of code-reuse attacks occur when short code sequences that end in specific call and jump instructions are located and chained into a specific order, in order to execute attackers’ payloads. IBT prevents this by creating a new instruction, ENDBRANCH, which tracks all indirect call and jump instructions to detect any control-flow violations.

The second protection is shadow stack (SS). Shadow stack helps to defend against return-oriented programming (ROP) attacks. These types of attacks center around return instructions in a control flow, which are intended to fetch the address of the next instruction from the stack, and execute instructions from that address. In ROP attacks, an attacker abuses these return instructions to stitch together a malicious code flow.

Shadow stack (separate from the data stack) prevents this by adding return address protection. When shadow stacks are enabled, the CALL instruction on a processor pushes the return address on both the data stack and shadow stack and make sure that they match.

“JOP or ROP attacks can be particularly hard to detect or prevent because the attacker uses existing code running from executable memory in a creative way to change program behavior,” Baiju Patel, fellow with Intel’s client computing group, said. “What makes it hard to detect or prevent ROP/JOP is the fact that attacker uses existing code running from executable memory. Many software-based detection and prevention techniques have been developed and deployed with limited success.”

Intel published the first specification of CET in 2016. Various software makers have added support for the technology into their products, including Microsoft in its Hardware-enforced Stack Protection for Windows.

While CET is launching for Intel’s mobile lineup, the technology will soon be available on desktop and server platforms, according to Garrison. The chip giant is now preparing for volume production of its Tiger Lake chipset, and expects to being shipping the processors to OEMs mid-year.

FREE Webinar: Are you on top of the shifting insider threats within your business? On *_June 24 at 2 p.m. ET_, join Threatpost and our panel of experts for a complimentary webinar, __**_The Enemy Within: How Insider Threats Are Changing.” _Get exclusive insights on how _remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. Please register here*_ for this webinar.**