Intel hatches plan to knock out potent ROP attacks at chip level
Intel's new CPU-level technology is designed to thwart attacks that use return- and jump-orientated programming.
Intel has come up with a chip-level plan to defeat attacks that use return-oriented programming to exploit memory vulnerabilities.
The new measures are outlined in a preview specification from Intel describing Control-flow Enforcement Technology (CET) and how it will overcome exploits that use ROP and jump-orientated programming (JOP).
CET aims to fill a gap in defensive capabilities against these two attack types, offering protections for applications and operating system kernels.
Attackers can use ROP and JOP to execute malicious code to bypass operating-system security measures, such as non-executable memory and code signing.
ROP attacks have, for example, been able to bypass current memory-exploit mitigations to install malware, such as data-execution prevention (DEP), and address-space layout randomisation (ASLR).
"ROP or JOP attacks are particularly hard to detect or prevent because the attacker uses existing code running from executable memory in a creative way to change program behavior," explained Baidu Patel, director of the platform security architecture and strategy team in Intel's Software and Services group (SSG).
"What makes it hard to detect or prevent ROP/JOP is the fact that attacker uses existing code running from executable memory. Many software-based detection and prevention techniques have been developed and deployed with limited success," Patel added.
To address ROP attacks, CET introduces shadow stacks, which are used exclusively for control transfer operations. These shadow stacks are isolated from the data stack and protected from tampering.
CET focuses on CALL and RETURN instructions and compares a return address that is stored in the data with the shadow stack. If the addresses don't marry up, an exception is flagged.
Intel explains in the document: "When shadow stacks are enabled, the CALL instruction pushes the return address on both the data and shadow stack. The RET instruction pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor signals a control protection exception (#CP)."
According to Patel, the CET spec is the culmination of techniques that Intel and Microsoft have jointly developed over the past seven years aimed at finding a comprehensive defence against ROP/JOP attacks.
"We also wanted to make sure that the solution is applicable to not just applications, but also to operating system kernels, and is beneficial to software written using most programming languages. We also wanted to ensure that software enabled for CET works on legacy platforms without changes, albeit with no security benefits. Finally, and most importantly, we wanted to address all known ROP/JOP attacks," wrote Patel.