In the InfoSec community a lot of effort is given to the analysis and reporting of malware, be they new, old, or updated. What does not receive a lot of attention is the measures developed by hardware and software manufacturers to prevent cyberattacks. There are a variety of reasons for this, one being that they might not generate as much interest and drive traffic to media outlet’s news websites. Another may be that we view new malware and the devastation it can cause as not as sexy as measures to prevent a potential disaster. While preventative technologies may lack the headlines including millions of dollars stolen or infections into the hundreds of thousands, they will have a longer-lasting effect.
At the start of 2018, Intel made the headlines for those reasons mentioned above. The Spectre and Meltdown vulnerabilities were compared to the infamous HeartBleed bug, however through a concerted effort by Intel and the CPU manufacturer’s partners the predicted devastation was avoided. Now the tech giant makes the headlines for the reasons it would like to with the introduction of its experimental CET security features. These features are to be implemented on the new series of Tiger Lake mobile CPUs set to hit the market soon.
The implementation of the CET Specification, CET standing for Control-Flow Enforcement Technology, follows several years of development intended to prevent common malware attacks from impacting Intel users. Typically, these common malware attacks have been difficult to mitigate with software alone so according to Intel’s Security First Pledge and statistics showing that 63% of the disclosed vulnerabilities for 2018 were memory based a response was required from the CPU manufacturer.
In the recently published announcement of the forthcoming implementation of CET the company described the new security measures as,
“Intel CET is designed to protect against the misuse of legitimate code through control-flow hijacking attacks – widely used techniques in large classes of malware. Intel CET offers software developers two key capabilities to help defend against control-flow hijacking malware: indirect branch tracking and shadow stack. Indirect branch tracking delivers indirect branch protection to defend against jump/call-oriented programming (JOP/COP) attack methods. Shadow stack delivers return address protection to help defend against return-oriented programming (ROP) attack methods. These types of attack methods are part of a class of malware referred to as memory safety issues, and include tactics such as the corruption of stack buffer overflow and use-after-free.”
Control Flow Attacks and the Shadowstack
Along with the announcement made by Intel, a technical explanation of the new security measures was published providing more information about the technology. At its most basic, the technology manages how the order in which operations are executed inside the CPU. This is done with the sole purpose of preventing malware attacks that rely on exploiting the control-flow of the CPU. Known as control-flow attacks the attacker looks to modify or inject processes into the operations of the CPU allowing for the attacker to execute arbitrary code. As this is done in the device’s memory are incredibly hard to detect by security applications and are favored by malware authors looking to remain undetected on the victim’s device for extended periods.
To prevent this from happening Intel has incorporated two measures in the soon to be released chipsets, those measures being the Shadow Stack and Indirect Branch Tracking. The Shadow Stack works by creating a shadow copy of the app’s intended control flow. This shadow copy is then stored in a secure part of the CPU’s memory and then compared to the actual control flow. This is intended to protect users from Return Oriented Programming (ROP) attacks where the return (RET) instruction is used to add malicious code to the control flow. If a difference exists between the shadow copy and the actual control flow the security measure will block the return instruction from executing, preventing the addition of malicious code.
The second measure, Indirect Branch Tracking, adds another layer of security by restricting an application’s ability to use jump tables. These tables can include pointers stored in memory that when accessed will “jump” to that destination address, these pointers can be reused multiple times to achieve a specific outcome. Malware authors exploit these tables in the wild to redirect victims to malicious websites under their control via a compromised app. In the wild, these exploit the CALL instruction which can hijack the applications jump table. Intel says indirect branch tracking protects against two techniques called Jump Oriented Programming (JOP) and Call Oriented Programming (COP), where malware abuses the JMP (jump) or CALL instructions to hijack a legitimate app's jump tables.
While the initial release of new security measures coincides with the release of Intel's line of mobile CPUs that use the Tiger Lake microarchitecture, these new measures will be adopted by Intel’s desktop and server CPUs in the future. Further, as the initiative that began with the CET specification document in 2016 software developers have been given the opportunity to ensure that future and current applications will have their code adjusted to support the security measures. Windows has added CET support in what it calls Hardware-enforced Stack Protection.
While not available yet to the public, Hardware-enforced Stack Protection has been included in Windows 10 Insider preview builds and looks to provide comprehensive software integration with the hardware measures developed by Intel. The Redmond tech giant looks to further enhance CET by developing security measures designed to prevent arbitrary code execution and memory safety vulnerabilities which include buffer overruns, dangling pointers, and uninitialized variables. These techniques are explained by Microsoft as,
“A canonical example of a stack buffer overrun is copying data from one buffer to another without bound checking (i.e. strcpy). If an attacker replaces the data and size from the source buffer, the destination buffer and other important components of the stack can be corrupted (i.e. return addresses) to point to attacker desired code. Dangling pointers occur when memory referenced by a pointer is de-allocated but a pointer to that memory still exists. In use-after-free exploits, the attacker can read/write through the dangling pointer that now points to memory the programmer did not intend to. Uninitialized variables exist in some languages where variables can be declared without value, memory in this case is initialized with junk data. If an attacker can read or write to these contents, this will also lead to unintended program behavior.”
Further, when looking to integrate with SET, Microsoft adopted a strategy that relies on four pillars to prevent arbitrary code execution. Microsoft describes these four pillars as,
“Code Integrity Guard (CIG) prevents arbitrary code generation by enforcing signature requirements for loading binaries. Arbitrary Code Guard (ACG) ensures signed pages are immutable and dynamic code cannot be generated, thus guaranteeing the integrity of binaries loaded. With the introduction of CIG/ACG, attackers increasingly resort to control flow hijacking via indirect calls and returns, known as call/jump oriented programming (COP/JOP) and return-oriented programming (ROP). We shipped Control Flow Guard (CFG) in Windows 10 to enforce integrity on indirect calls (forward-edge CFI). Hardware-enforced Stack Protection will enforce integrity on return addresses on the stack (backward-edge CFI), via Shadow Stacks.”
It is hoped that when the new CPU begins to reach customers the new integration measures put in place will effectively shut down control-flow attacks occurring on the new devices. The problem will be an issue for those still on the older CPUs so the problem will not disappear. Given the expense procuring new devices for employees is to organizations adoption of the new security measures will be slow. This will imply that organizations and the public at large will have to rely on already existing mitigation strategies such as insuring software and hardware are kept up to date so that hackers cannot exploit known vulnerabilities that reside in memory.
Other mitigation tactics have been put forward by academics and researchers but simply reading the recommendations requires vast technical knowledge of the issue, which for the most part has been explored by academics and researchers with said knowledge. Until such measures see widespread adoption, which maybe years to come, it is still advised that people follow best practices regarding cybersecurity. It is important to remember that these measures are not a silver bullet which will render all cybercrime a thing of the past. Rather, it is a response to solve a specific problem, namely malware capable of executing arbitrary code within a CPU’s memory.