Microsoft announced today a new security feature for the Windows operating system.
Named “Hardware-enforced Stack Protection,” this feature allows applications to use the local CPU hardware to protect their code while running inside the CPU’s memory.
As the feature’s name suggests, its primary role is to protect the (memory) stack — where an app’s code is stored during execution.
“Hardware-enforced Stack Protection” works by enforcing strict management of the memory stack through the use of a combination between (1) modern CPU hardware and (2) shadow stacks.
The term shadow stacks is a new one and refers to a copies of a program’s intended execution flow (also referred to as the code’s execution order).
The new “Hardware-enforced Stack Protection” feature plans to use the hardware-based security features in modern CPUs to keep a copy of the app’s shadow stack (intended code execution flow) in a hardware-secured environment.
Microsoft says this will prevent malware from hijacking an app’s code by exploiting common memory bugs such as stack buffer overflows, dangling pointers, or uninitialized variables — all known to allow attackers to hijack an app’s normal code execution flow. Any modifications that don’t match the shadow stacks are ignored, effectively shutting down any exploit attempts.
Available for Windows 10 Insider fast ring
Currently, the new “Hardware-enforced Stack Protection” feature is in its early stages and still under active development, according to Hari Pulapaka, manager for the Microsoft Windows Kernel Group.
Microsoft has released today an early preview of the “Hardware-enforced Stack Protection” feature for Windows 10 Insider previews builds (fast ring).
Developers can use current versions of Windows 10 Insider preview builds to test their apps with the new protection and see how it works and if any issues arise.
“In order to receive Hardware-enforced stack protection on your application, there is a new linker flag which sets a bit in the PE header to request protection from the kernel for the executable,” Pulapaka explained in a blog post.
“If the application sets this bit and is running on a supported Windows build and shadow stack-compliant hardware, the Kernel will maintain shadow stacks throughout the runtime of the program,” the Microsoft manager said.
Currently, the “Hardware-enforced Stack Protection” feature will only work on chipsets that support Intel’s Control-flow Enforcement Technology (CET) instructions, which in turn support the shadow stacks mechanism.
If a computer is running on old hardware and does not support shadow stacks, Pulapaka said Windows will simply ignore the PE bit that enables the “Hardware-enforced Stack Protection” feature, and the program will run as it does now.
Microsoft’s hardware-enforced future
This new feature is Microsoft’s latest security feature that is tightly integrated with the underlying hardware.
Last year, Microsoft announced a new project called Secured-core PCs, which is a new type of branding for PCs and laptops where the Windows OS runs tightly integrated with the underlying CPU hardware, offering increased protection for enterprise users [see video below].
But according to Pulapaka, this is just the beginning, and Redmond plans to add more similar features that blend the Windows OS with the underlying hardware for added security.
“We are now exploring security features with deep hardware integration to further raise the bar against attacks,” Pulapaka said. “By integrating Windows and its kernel deeply with hardware, we make it difficult and expensive for attackers to mount large scale attacks.”
Source : ZDNet