Intel, in partnership with Microsoft, has published a technology preview, showing how innovation in silicon architecture can help protect against advanced code-reuse attack techniques. This is an example of how brilliant minds across the industry can think long-term, to make great strides in addressing cybersecurity problems through improvements in hardware. Key components, such as the Central Processing Unit (CPU), play a pivotal role in computer security. The architecture in that chip defines the playing field where attackers attempt to victimize their targets by outmaneuvering defenders. Software is agile and strives to keep pace in the game against shifting threats. Advances in the silicon design can significantly change the rules, potentially giving defenders a significant advantage.
Code reuse attacks have been a longtime problem, dating back almost 20 years. It is only recently they have gained in popularity to become a favorite tactic used by the most advanced hackers to compromise applications, operating systems, and devices. Previously, the preferred method of making a computer follow your malicious desires was to inject code directly into memory to be run. This tactic has become progressively more difficult due to the introduction of several security features over the years. So now, savvy aggressors have turned to rely on code-reuse attacks like Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) which allow for exploitation without code injection. According to Microsoft, almost all exploits discovered in recent years targeting their products have used ROP techniques.
The way it works is technically complex but not overly difficult to understand in concept. Programming code runs together, tightly in memory. It is like an unformatted novel where there is no punctuation or capitalization and all the words are pressed together to save space.
Attackers take advantage of this for their purposes. They analyze the available code, and use sections like a kidnapper might cut words from a newspaper to make a ransom note. They can make just about any story they like, by jumping from one part of the page to another.
Instead of attempting to bypass the multitude of security controls necessary to inject their own malicious instructions into memory, ROP/JOP harvests code snippets, called gadgets, from legitimate programs already in memory. It then stitches them together by jumping from one gadget to another, effectively bringing to life a new malware beast.
This tactic has several advantages. It is much stealthier than other techniques and, therefore more difficult to detect, it is more challenging to conduct forensics after-the-fact to understand what happened, and most importantly it can work on systems protected by security controls like Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and the No Execute (NX) bit technology, to achieve the attacker’s goal.
The Control-flow Enforcement Technology (CET) specification published by Intel sets a direction of intent to leverage the fixed hardware architectures of the Central Processing Unit (CPU) to establish controls to help prevent and interfere with code-reuse attacks. Through the use of a shadow stack, pointers, and other mechanisms, CET puts structures in place designed to protect against misuse of legitimate code. Baiju Patel, a Senior Principal Engineer for Intel, provides a technical overview in his blog.
CET is like adding punctuation in the unstructured novel to form coherent sentences. It gives the reader knowledge where to start, how to apply emphasis, and when a complete idea ends. Consider a pleasant family story where a roomful of hungry children are cheering “let’s eat, Grandma!” is far different than a darker interpretation of a roomful of hungry children cheering “let’s eat Grandma!”. One missing comma, a simple marker, changes the entire situation. In the same way, the subtle improvements of CET can have a significant impact on cybersecurity. If an attacker tries to jump somewhere in the code they shouldn’t, CET raises an alarm or blocks the attempt. Such a fundamental control, which must exist under the software layer within the hardware, can make a tremendous difference in stemming the success of code-reuse attacks.
The complete Control-flow Enforcement Technology Preview can be downloaded from Intel. Intel is open to industry input on the technical specification, but I don’t recommend mentioning the Grandma scenario.
Computer security is getting tougher. More devices, software, and usages are providing a greater landscape for attackers to flourish. Adversaries have too much maneuvering room to evade or bypass protective measures. What is needed, in addition to secure software, are changes to the very foundations of computing architectures to better support security and purposefully limit what attackers can easily accomplish. Hardware becomes an important factor.
The time is now to be aggressive in stemming the impacts of cyber threats across applications, operating systems, and devices. Collaboration across the industry is needed to develop long-lasting capabilities in order to make computing safer. Key partnerships, like the one between Intel and Microsoft, are working to find optimal security solutions which will be compatible with future operating systems, services, and applications.
Intel is driving innovation to change the computing playing field, empower stronger operating systems, assist security software, and give the advantage to the defenders. Intel’s best and brightest engineers are concentrating on making Intel Architecture (IA) features to make systems more secure. CET is but one example. The brilliant minds of Intel are renowned for making silicon do the impossible and the challenges of cybersecurity appear to be in their sights.
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Notice revision #20110804