• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel CET Answers Call to Protect Against Common Malware Threats

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,242 (7.55/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
The security of our customers' data is a top priority at Intel. As part of Intel's Security First Pledge, our engineers continue to deliver advancements to help safeguard our technology from evolving cyber-threats. It begins with designing and engineering security features into our products and continues in our work with the industry to move security innovation forward.

Today, we are announcing a new security capability. Intel Control-Flow Enforcement Technology (Intel CET) will be first available on Intel's upcoming mobile processor code-named "Tiger Lake." Intel CET delivers CPU-level security capabilities to help protect against common malware attack methods that have been a challenge to mitigate with software alone.



Intel CET is designed to protect against the misuse of legitimate code through control-flow hijacking attacks - widely used techniques in large classes of malware. Intel CET offers software developers two key capabilities to help defend against control-flow hijacking malware: indirect branch tracking and shadow stack. Indirect branch tracking delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods. Shadow stack delivers return address protection to help defend against return-oriented programming (ROP) attack methods. These types of attack methods are part of a class of malware referred to as memory safety issues and include tactics such as the corruption of stack buffer overflow and use-after-free.

According to TrendMicro's Zero Day Initiative (ZDI), 63.2% of the 1,097 vulnerabilities disclosed by ZDI from 2019 to today were memory safety related. These malware types target operating systems (OS), browsers, readers and many other applications. It takes deep hardware integration at the foundation to deliver effective security features with minimal performance impact.

Intel was the first to tackle these complex security challenges, and we remain committed to working with the industry to drive security innovation. We recognized that scaling OS and application adoption to truly solve the problem would require industrywide collaboration. To accelerate adoption, we published the Intel CET specifications in 2016. Additionally, Intel and Microsoft have been working closely to prepare Windows 10 and developer tools so applications and the industry at large can offer better protection against control-flow hijacking threats.

Microsoft's upcoming support for Intel CET in Windows 10 is called Hardware-enforced Stack Protection, and a preview of it is available today in Windows 10 Insider Previews. This new Hardware-enforced Stack Protection feature only works on chipsets with Intel CET instructions. It relies on a new CPU architecture that is compliant with Intel CET specifications. For applications running on an OS that supports Intel CET, users can expect detailed guidance from our partners on how applications "opt-in" for protection.

The significance of Intel CET is that it is built into the microarchitecture and available across the family of products with that core. While Intel vPro platforms with Intel Hardware Shield already meet and exceed the security requirements for Secured-core PCs, Intel CET further extends advanced threat protection capabilities. Intel CET is also expected to be available in future desktop and server platforms.

As our work here shows, hardware is the bedrock of any security solution. Security solutions rooted in hardware provide the greatest opportunity to provide security assurance against current and future threats. Intel hardware, and the added assurance and security innovation it brings, help to harden the layers of the stack that depend on it.

The security of our products is an ongoing priority, not a one-time event. Together with our partners and customers, we continue to build a more trusted foundation for all computing systems.

The following is an opinion editorial by Tom Garrison of Intel Corporation. Tom Garrison is vice president of the Client Computing Group and general manager of Security Strategies and Initiatives (SSI).

View at TechPowerUp Main Site
 
Joined
Oct 22, 2014
Messages
14,099 (3.82/day)
Location
Sunshine Coast
System Name H7 Flow 2024
Processor AMD 5800X3D
Motherboard Asus X570 Tough Gaming
Cooling Custom liquid
Memory 32 GB DDR4
Video Card(s) Intel ARC A750
Storage Crucial P5 Plus 2TB.
Display(s) AOC 24" Freesync 1m.s. 75Hz
Mouse Lenovo
Keyboard Eweadn Mechanical
Software W11 Pro 64 bit
It appears Intel's "security first" is an after thought. ;)
The horse has bolted guys.
 
Joined
Oct 9, 2013
Messages
27 (0.01/day)
Location
Earth
System Name PredatorX
Processor Intel Core i9-10900X Skylake-X 10-Core 3.7 GHz OC 4.5GHZ
Motherboard EVGA X299 DARK 151-SX-E299-KR
Cooling Corsair Hydro Series H80i V2
Memory CORSAIR Dominator Platinum SE Torque 32GB (4 x 8GB) CMD32GX4M4C3200C14T
Video Card(s) SAPPHIRE Radeon RX Vega 64 DirectX 12 100410NT+SR
Storage SAMSUNG 970 PRO M.2 1TB NVMe PCI-Express 3.0 x4 MZ-V7P512BW
Display(s) Acer XR382CQK IPS 3840x1600 @ 75HZ
Case THERMALTAKE ARMOUR VA8003SWA ATX
Audio Device(s) CREATIVE AE-9 7.1
Power Supply CORSAIR AX1200i
Mouse Logitech G502 HERO
Keyboard LOGITECH G19S
Software Window 10 64 Pro
intel has hardware base Security Protection built in where AMD got None...............

It appears Intel's "security first" is an after thought. ;)
The horse has bolted guys.
Hugh............
 

SL2

Joined
Jan 27, 2006
Messages
2,449 (0.36/day)
Is there an equivalent initiative to protect us from 14^+ nm products, or Skylake?


[/s]
 
Joined
Mar 28, 2020
Messages
1,755 (1.03/day)
I think Intel need to protect against uncommon threats first before looking into the common threats. Don't get me wrong, it is a good initiative, but with them hitting headlines with new security threat every other month, it is a clear they need to focus on security. After all, they have the biggest market share and thus, all the more reasons for hackers and such too focus on digging out more vulnerabilities with their aged chips.
 
Joined
Aug 22, 2016
Messages
167 (0.06/day)
And AMD doesnt support arbitrary addresses at all. Nice thing to create an ad solving a problem that you created to yourself.
 
Joined
Nov 4, 2005
Messages
11,984 (1.72/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs, 24TB Enterprise drives
Display(s) 55" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
intel has hardware base Security Protection built in where AMD got None...............


Hugh............


Ummm, Intel has more built in hardware security issues than AMD and Ryzen has a lot of security built in. Intel is just touting this since they screwed up so much and need some PR to spin.
 
Joined
Dec 14, 2011
Messages
115 (0.02/day)
They (AMD as well) should open source all their firmware that sits on CPU - including ME/PSP. Security should be in service of the user to safeguard his safety/privacy. At the moment we have neither. Also why AMD (yes AMD does this too and this is appaling) and Intel think only business class cpu deserve security features? It's false market segmentation - security should be a standard feature.
 
Joined
Jul 19, 2017
Messages
75 (0.03/day)
We've found that the best security protection against vulnerabilities, that is to avoid intel - for now. Ok, they struggle - at least they say they do - to secure their new models, but leaving older models completely without mitigations! Quite often is a new UEFI/BIOS needed, but motherboard makers stops producing updates much sooner than EOL:(
 
Top