What’s the skinny? Earlier today Intel announced that its latest processors code named “Tiger Lake” will feature a new security capability, Intel® Control-Flow Enforcement Technology (Intel CET). This new capability will be seen first on Intel’s upcoming mobile processors and will eventually be seen through out its entire line up of processors including its server chips.
So what is CET exactly? Intel’s control-flow enforcement technology is hardware level security designed to mitigate malware attacks. “Intel CET offers software developers two key capabilities to help defend against control-flow hijacking malware: indirect branch tracking and shadow stack. Indirect branch tracking delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods. Shadow stack delivers return address protection to help defend against return-oriented programming (ROP) attack methods.”
“As more proactive protections are built into the Windows OS, attackers are shifting their efforts to exploit memory safety vulnerabilities by hijacking the integrity of the control flow,” said David Weston, director of Enterprise and OS Security at Microsoft. “As an opt-in feature in Windows 10, Microsoft has worked with Intel to offer hardware-enforced stack protection that builds on the extensive exploit protection built into Windows 10 to enforce code integrity as well as terminate any malicious code.”
Intel has been working closely with Microsoft to integrate this microarchitecture level security with Windows 10. A preview of this can be seen today in Windows 10 Insider Previews.