‘Hardware Enforced Stack Protection’… Block abnormal code modification
Microsoft (MS) is developing a security feature that keeps application code in a secure space on the CPU.
Microsoft announced on the 25th that it is developing a ‘Hardware-enforced Stack Protection’ feature through its technology community site.
According to Microsoft Windows Kernel Group Manager Hari Fullapaka, this feature uses local CPU hardware to protect its own code while the application is running on CPU memory.
Using this feature, the application stores a ‘shadow stack’ in the hardware security environment, which is a copy of the intended control flow. Code modifications that do not match the shadow stack are blocked.
Microsoft explained that this feature could help exploit malware-based vulnerabilities to prevent malware attacks that intercept the app’s code. Stack buffer overflows, dangling pointers, and uninitialized variables are examples of these vulnerabilities.
This feature only works on Intel chipsets with Control Flow Enhancement Enforcement Technology (CET) guidelines. When using hardware that does not support this, the PE bit that enables hardware-enforced stack protection on Windows is ignored.
”There is a new linker flag that sets a bit in the PE header to request kernel protection for the executable,” Pulaparka said.
”If the application sets this bit on Windows and shadow stack compatible hardware that supports this feature, the kernel will maintain the shadow stack while the application is running,” he added.
On the same day, Microsoft made it possible to test this feature in the Windows 10 Insider preview build.