Last week was especially critical for Intel, discovering several new vulnerabilities. Since 2018, hardware-level vulnerabilities in Intel processors have been a constant trickle. The security patches that mitigate them mean a loss of performance in the processors. To end all this, Intel has developed Intel Control-Flow Enforcement technology (Intel CET)
To date, Intel was improvising different fixes to the vulnerabilities that appeared. While all this about vulnerabilities seems negative, it is exactly the opposite. It should be noted that to date, vulnerabilities were not sought at the hardware level, simply at the software level. All of these detections help improve everyone's safety.
No products found.
Intel CET, the solution to all vulnerabilities
While it is equally early to indicate that Intel CET fixes or mitigates all vulnerabilities, it appears to be the case. It will then be necessary to see if this software combats all the existing vulnerabilities effectively. In addition, it would be a correction that would eliminate or significantly reduce mitigation performance losses.
This Intel CET solution is integrated at the architectural level or, in other words, at the silicon level. Theoretically, this tool corrects vulnerabilities without affecting performance, although the latter remains to be seen. The first architecture to benefit from this security improvement is Intel Tiger Lake processors for portable devices.
Full press release
For Intel, the security of our customers' data is our highest priority. As part of Intel's Security First Pledge, our engineers continue to make strides to safeguard our technology from the rise of cyberattacks. This work begins with the design and implementation of security features in our own products, and continues with our efforts to drive security innovation within the industry.
That's why today we're introducing a new security feature - Intel Control-Flow Enforcement Technology (Intel CET), which will be available for the first time in Intel's upcoming mobile processor, codenamed Tiger Lake. Intel CET offers CPU-level security capabilities to help protect against common malware attack methods, which have been difficult to mitigate through software alone.
Intel CET is designed to prevent the misuse of legitimate code through control flow attacks (techniques widely used in many types of malware). In this sense, it offers software developers two key functionalities to defend against this type of attack: indirect branch tracking and shadow stack. Indirect branch tracking provides indirect branch protection to protect against jump-oriented programming (JOP) and call-oriented programming (COP) attacks. For its part, the shadow stack provides rollback protection to help defend against return-oriented programming (ROP) attacks.
According to Trend Micro's Zero Day Initiative (ZDI), 63,2% of the 1.097 vulnerabilities disclosed by the ZDI from 2019 to today are related to memory security. These types of malware attack operating systems, browsers, readers, and many other applications. For this reason, deep integration of the hardware into the base is necessary to have effective security features with minimal impact on performance.
At Intel, we were the first to address these complex security challenges and remain committed to working with industry to drive security innovation. We realize that truly solving the problem through expanding the operating system and adopting applications requires collaboration from the entire industry. In fact, to accelerate this adaptation, in 2016 we published the Intel CET specifications. Additionally, Intel and Microsoft have been working closely on the preparation of Windows 10 and development tools so that both applications, and the industry in general, can offer greater protection against control flow threats.
Microsoft's upcoming support for Intel CET in Windows 10 is called Hardware-enforced Stack Protection, and a preview of it is currently available in Windows 10 Insider Previews. This new system only works on chipsets with Intel CET instructions, as it is based on a new CPU architecture that meets Intel CET specifications. For applications running on an Intel CET compliant operating system, users will be able to get detailed guidance from our partners on how applications accept this system for protection.
The great value of Intel CET is that it is embedded in the microarchitecture and available across the entire range of products with that core. While Intel vPro platforms with Intel Hardware Shield already meet and exceed the security requirements of PCs with a secure core, Intel CET further enhances advanced threat protection capabilities. It is also expected to be available on future desktop and server platforms.
As our work shows, hardware is the foundation of any security solution. Hardware-based security solutions offer the greatest opportunity to provide a guarantee of security against current and future threats. In this way, Intel hardware, and the assurance and security innovation it offers, help to harden the layers of the stack that depend on it.
The safety of our products is not something specific, but a constant priority. Together with our partners and our customers, we continue to build a more solid and trustworthy foundation for all IT systems.
