Intel Tiger Lake processors to feature built-in malware protection

Intel’s newest generation of processors features security technology designed to interfere with how malicious apps operate.

As is tradition, mobile devices will be the first recipients of Intel’s Tiger Lake processors. For at least two decades now, Intel has unveiled mobile, desktop, and server processors, in that order. Server processors are last because they combine the desktop processor plus server-oriented instructions, and you don’t just plug those in and go.

Intel is making a lot of noise about Tiger Lake performance, claiming its on-board GPU performance is comparable to a discrete GPU from Nvidia or AMD. We’ll leave that to the testers to verify. On the security front, the big change in Tiger Lake is the addition of Control-Flow Enforcement Technology, or CET.

Intel CET deals with the order in which operations are executed inside the CPU. Malware can use vulnerabilities in other apps to hijack their control flow and insert malicious code into the app, making it so that the malware runs as part of a valid application, which makes it very hard for software-based anti-virus programs to detect. These are in-memory attacks, rather than writing code to the disk or ransomware. Intel cited TrendMicro’s Zero Day Initiative (ZDI), which said 63.2% of the 1,097 vulnerabilities disclosed by ZDI from 2019 to today were related to memory safety.

“It takes deep hardware integration at the foundation to deliver effective security features with minimal performance impact,” wrote Tom Garrison, vice president of the client computing group and general manager of security strategies and initiatives at Intel in a blog post announcing the products.

“As our work here shows, hardware is the bedrock of any security solution. Security solutions rooted in hardware provide the greatest opportunity to provide security assurance against current and future threats. Intel hardware, and the added assurance and security innovation it brings, help to harden the layers of the stack that depend on it,” Garrison wrote.

CET protects the control flow via two new security mechanisms: shadow stack and indirect branch tracking. Shadow stack makes a copy of an app’s intended control flow and stores it in a secure area of the CPU to ensure no unauthorized changes take place in an app’s intended execution order. Malware works by hijacking an app’s intended order of execution, so this blocks the malware.

Indirect branch tracking protects against two techniques called jump-oriented programming (JOP) and call-oriented programming (COP), where malware abuses the JMP (jump) or CALL instructions to hijack a legitimate app’s jump tables.

So when will Xeon get CET? The short answer is not soon. Intel is preparing Cooper Lake for release, and there was no mention of CET in the details Intel has released. Cooper Lake is geared at AI and HPC. So CET will likely be in the next generation of Xeons, and generally speaking, Intel doesn’t rush Xeon releases. They tend to come every two years.

Intel is expected to release Xeons based on the Ice Lake design later this year, and Ice Lake has been available for desktops and laptops since 2018. So expect a wait. But Xeon will eventually get the technology, Intel says.

Intel first published the CET spec in 2016 but held off, giving developers a chance to tune their apps for CET. This gives developers – including Microsoft Windows and Linux OS developers – a chance to support the CET instructions so they can opt in to the protection CET provides.

Intel has been working with Microsoft to integrate CET with Windows 10. Microsoft’s support for CET in Windows 10 will be called Hardware-enforced Stack Protection, and a preview of it is available today to Windows Insiders.