‘Hardware Enforced Stack Protection’… Block abnormal code modification
Microsoft (MS) is developing a security feature that keeps application code in a secure space on the CPU.

​Microsoft announced on the 25th that it is developing a ‘Hardware-enforced Stack Protection’ feature through its technology community site.

​According to Microsoft Windows Kernel Group Manager Hari Fullapaka, this feature uses local CPU hardware to protect its own code while the application is running on CPU memory.

​Using this feature, the application stores a ‘shadow stack’ in the hardware security environment, which is a copy of the intended control flow. Code modifications that do not match the shadow stack are blocked.

​Microsoft explained that this feature could help exploit malware-based vulnerabilities to prevent malware attacks that intercept the app’s code. Stack buffer overflows, dangling pointers, and uninitialized variables are examples of these vulnerabilities.

​This feature only works on Intel chipsets with Control Flow Enhancement Enforcement Technology (CET) guidelines. When using hardware that does not support this, the PE bit that enables hardware-enforced stack protection on Windows is ignored.

​”There is a new linker flag that sets a bit in the PE header to request kernel protection for the executable,” Pulaparka said.

​”If the application sets this bit on Windows and shadow stack compatible hardware that supports this feature, the kernel will maintain the shadow stack while the application is running,” he added.

​On the same day, Microsoft made it possible to test this feature in the Windows 10 Insider preview build.