Intel has recently published a specification for a new technology meant to detect and block malware at the processor level. The technology, developed with the help of Microsoft, is called Control-flow Enforcement Technology (CET), and its main purpose is to prevent any attempt to use Return-Oriented Programming (ROP) or Jump-Oriented Programming (JOP) for exploits. This type of exploit is used by hackers to bypass current controls that prevent non-executable code from running on the processor. Instead, the attack uses components of legitimate executable code, tying together small code sequences to perform a new function, and allowing attacker controlled data to be executed.
ROP-based attacks are a serious threat, with Intel and Microsoft acknowledging that ROP is a major hole in their security architecture, stating “Many software-based detection and prevention techniques have been developed and deployed with limited success”. ROP attacks bypass the various security controls that they worked so hard to put in place (DEP, ASLR, SMEP etc.), and the new CET technology is designed to put a stop to this.
We believe this additional focus on addressing ROP exploits at the hardware level will ultimately improve security. Preventing the use of ROP is a key step in delivering evasion-resistant exploit detection. Unfortunately for those relying on CET to finally put an end to ROP-based attacks, it will undoubtedly be years before it is widely deployed. The public preview is currently open for feedback. It would then be integrated into a future chip architecture, and require updates to support it in relevant operating systems, compilers, and frameworks (such as .NET), and then application developers would need to release new versions of their code in order to leverage CET features. Finally, organizations interested in fully leveraging this built-in protection would need to migrate all of their hardware to the new CPU model. Older hardware would still be exposed.
The good news – you can already be protected against these threats!
Check Point’s CPU-level exploit detection technology and Intel’s CET share many of the same core ideas. While the inclusion of hardware-based capabilities to prevent the use of ROP are a welcome addition, our CPU-level exploit detection has been blocking ROP-based attacks for nearly a year, using existing functionality available in current Intel processor architectures (namely Haswell). Naturally, we concur with Intel and Microsoft about the severe nature of this threat, and protect users against them today by leveraging existing execution flow control trace capabilities introduced with the Haswell chipset.
SandBlast CPU-level protection uses Intel’s HW debugging and profiling features (which were not originally designed for security), extracts the raw data out of it and implements a sophisticated software logic layer inside a customized hypervisor. This allows it to detect the existence of a ROP exploit during emulation, and therefore block the malicious content before it is delivered to the end user.
By implementing this technology as a Sandbox solution, Check Point has been able to detect and block ROP attacks with our CPU-level engine, without waiting for new hardware to be deployed at the system level across the enterprise. Certainly CET’s aim is broader, intended to cover both endpoint and virtualization, where legacy, full hardware implementation, and real-time performance are critical. If, like us, you believe in the concept of CET, there is no need to wait to begin stopping ROP attacks now.