Intel to Add Hardware-Based Malware Protection to Their CPUs

When it comes to protecting your computer against malware, the majority of people rely on software. Intel announced a new CPU-based security capability known as Control-Flow Enforcement Technology (Intel CET) that offers protection against malware using control-flow hijacking attack methods on devices with Intel’s future Tiger Lake mobile processors.

Intel CET

According to Intel, “Intel CET offers software developers two key capabilities to help defend against control-flow hijacking malware: indirect branch tracking and shadow stack. Indirect branch tracking delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods. Shadow stack delivers return address protection to help defend against return-oriented programming (ROP) attack methods.”

Security Level

Control-flow hijacking attacks are a prevalent type of malware, that involves manipulating memory and using jump- or call-oriented programming or return-oriented programming to modify existing code. Because it involves modifying the existing code of an application, like a web browser, to carry out malicious actions, traditional anti-virus software can’t detect it.

To protect against these types of attacks, Intel CET has two key capabilities. The first one, indirect branch tracking, protects against jump-oriented programming by preventing attackers from jumping to an arbitrary part of the code and instead forcing them to the end branch of an address, ensuring that the attacker can’t modify the code in an unintended way.

Jointly developed by Intel and Microsoft, CET is designed to thwart a technique known as return-oriented programming (ROP), which hackers use to bypass anti-exploit measures software developers introduced about a decade ago. While Intel first published its implementation of CET in 2016, Tiger Lake CPU microarchitecture will be the first to include it.

ROP, COP, JOP attacks

IBT defends against attacks using jump/call-oriented programming (JOP and COP), while SS protects against return-oriented programming (ROP) attacks.

Return Oriented Programming (ROP), Jump Oriented Programming (JOP), and Call Oriented Programming (COP) are techniques used by adversaries to bypass software and operating systems’ built-in anti-malware protections, techniques widely used “in large classes of malware.”