Intel looks at stopping hackers and malware at the processor level
June 14, 2016
Shah Sheikh (1294 articles)

Intel looks at stopping hackers and malware at the processor level

Intel is looking at introducing security features at the chip level in order to prevent hackers from using return-oriented programming to take advantage of memory vulnerabilities.

The chip firm has worked with Microsoft on Control-flow Enforcement Technology (CET) which should stymie attempts by criminals to use techniques such as return-oriented programming (ROP) and jump-oriented programming (JOP).

ROP attacks can can exploit memory flaws to install malware, despite mitigations such as data-execution prevention (DEP), and address-space layout randomisation (ASLR).

“ROP or JOP attacks are particularly hard to detect or prevent because the attacker uses existing code running from executable memory in a creative way to change program behaviour,” said Baidu Patel, director of the platform security architecture and strategy team in Intel’s Software and Services group (SSG), in a blog post.

“What makes it hard to detect or prevent ROP/JOP is the fact that attacker uses existing code running from executable memory. Many software-based detection and prevention techniques have been developed and deployed with limited success.”

CET works by using what is known as a shadow stack. This is a second stack which stores control transfer operations. With CET, return addresses get copied to the normal stack and shadow stack. The shadow stack is isolated and tamper-proof.

CET compares return addresses with those stored in the shadow stack. If the two don’t match up, a red flag is raised.

Patel said that the specification is the result of many years of research carried out by Intel and Microsoft in finding a way to stop ROP/JOP attacks.

“We also wanted to make sure that the solution is applicable to not just applications, but also to operating system kernels, and is beneficial to software written using most programming languages. We also wanted to ensure that software enabled for CET works on legacy platforms without changes, albeit with no security benefits. Finally, and most importantly, we wanted to address all known ROP/JOP attacks,” said Patel.

CET is currently in the process of being reviewed and more work is needed to be done.

Ian Pratt, CEO and co-founder at Bromium, told that after finding a vulnerability in a piece of software, an attacker typically needs to figure out how to exploit it so that they can get the victim system executing their own code.

“Depending on the nature of the vulnerability, this can be quite a complex process, involving multiple stages. One of those stages sometimes involves ‘Return Oriented Programming’ or ‘Jump oriented Programming’, which is basically a way of (ab)using instructions in the existing software to perform certain operations to prepare the ground for executing the attacker’s own code,” he said.

He said that getting extra help from the hardware is clearly the way forward.

“The best example of this today is the secure virtualization capabilities that our built into every CPU. Microsoft uses these in Win10 to harden key components of the OS.”

Giovanni Vigna, co-founder & CTO at Lastline, told SC that ROP attacks have become the standard way to perform exploits against browsers and other applications. The basic idea is that instead of providing their own code, the attacker “cannibalises” the ending pieces of various functions in the existing libraries.

“These ‘endings’ do something simple and then return (that’s why it’s called ‘return’-oriented programming). By composing multiple endings (sometimes hundreds!) the attacker can achieve a fully functional exploit.” He said.

Vigna added that shadow stack introduced by Intel makes sure that one cannot jump at the end of a function, but instead, one needs to follow the correct (intended) execution flow. He noted that some authors have proposed a shadow stack implemented in software, but the interest has been limited because of the overhead introduced.

“By creating a hardware-supported security mechanism, a developer can take advantage of this protection with minimal overhead.”

Source | SCMagazine