Chromium-based browsers like Microsoft Edge and Google Chrome will soon support the Intel CET security feature to prevent a wide range of vulnerabilities.
Intel’s Control-flow Enforcement Technology (CET) is a hardware security feature that was initially introduced in 2016 and added to Intel’s 11th generation CPUs in 2020.
The CET function is designed to protect programs against Return-Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks that change the normal flow of an application so that an attacker’s malicious code is executed sooner.
“JOP or ROP attacks can be particularly difficult to detect or prevent because the attacker uses existing code that runs from executable memory in a creative way to change the behavior of the program,” explains Microsoft’s Baiju V Patel.
These vulnerabilities include attacks that bypass the sandbox of a browser, or execute remote code execution while browsing websites.
Intel CET is a hardware-based solution that blocks these efforts by causing exceptions when adjusting the natural flow.
Chromium browsers get Intel CET support
Windows 10 supports Intel CET through an implementation called Hardware-enforced Stack Protection.
For Windows applications to support this feature, it must first be compiled with the / CETCOMPAT switch flag in Visual Studio. When compiled with this flag, an application will be marked as CET Shadow Stack compatible and selected for security protection.
This week, Microsoft Edge Microsoft Vulnerability Leader Johnathan Norman tweeted that Microsoft Edge 90 will support the Intel CET feature in non-renderer processes.
Edge 90 (Canary) now supports Intel’s CET non-vendor processes. Try it if you have a great new processor.
– Johnathan Norman (@spoofyroot) 11 February 2021
Microsoft Edge, which is based on Chromium, uses several processes to perform different tasks.
Based on Norman’s tweet, Intel CET will be used by non-performing processes, such as the browser, GPU, utility, expansion, and plug-ins.
Source: Google
This security feature does not appear to be specific to Microsoft Edge, but is applicable to all Chromium browsers, including Google Chrome, Brave, and Opera.
Mozilla is also investigating support for Intel CET in Firefox, but there is no recent status update for its implementation.
Windows 10 users with Intel’s 11th generation CPUs or AMD Zen 3 Ryzen CPUs, which also support CET, can use the Windows Task Manager to see if a process is using the hardware security feature.
To do this, open Task Manager, go to the Details right-click on a column header and select ‘Choose Colums. ‘
When the ‘Select Columns’ dialog box opens, scroll down and check ‘Check box’Stack protection applied by hardware. Once activated, this column shows you which processes support the Intel CET security feature.
BleepingComputer has no devices that use the 11th generation Intel CPUs to test this feature.
Google Chrome and Microsoft Edge 90 are expected to be released on April 13, 2021.