Intel has announced that its 10nm Tiger Lake CPUs will be boast a new hardware-based security feature to protect against Spectre-like malware attacks.
The laptop processors will be the first to come with would be the new Intel Control-Flow Enforcement Technology (CET), which Intel claims offers protection against the misuse of legitimate code through control-flow hijacking attacks, a type of malware that has been notoriously difficult to mitigate through software.
Jointly developed by Intel and Microsoft, the technology provides two new key capabilities to help guard against control-flow hijacking malware: Shadow Stack (SS) and Indirect Branch Tracking (IBT).
Shadow Stack refers to a copy of a program’s intended execution flow which is used to ensure no unauthorized changes take place in an app’s intended execution order to defend against ROP attack methods. IBT, on the other hand, delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods.
“Intel CET is designed to protect against the misuse of legitimate code through control-flow hijacking attacks–widely used techniques in large classes of malware,” Intel VP & GM of Client Security Strategy and Initiatives Tom Garrison said.
Intel’s CET will be available in mobile CPUs that use the Tiger Lake microarchitecture, and the technology will also be available in the firm’s future desktop and server platforms.
No future Meltdowns
As has been well documented, Intel has had a rough few years when it comes to CPU security. Most notably, it was discovered in 2018 that all Intel CPUs produced in the last 20 years were vulnerable to the “catastrophic” Spectre and Meltdown vulnerabilities.
These hardware flaws enabled normal user programs, such as database applications and JavaScript in web browsers, to identify some of the layout or contents of protected kernel memory areas of the vulnerable chips.
More recently, a flaw called ‘Spoiler’ was discovered that, like Spectre, enabled an attacker to exploit the way the PC’s memory works to glimpse data from running programs and other critical data which should otherwise not be accessible.
