Google Chrome adopted the Intel’s Control-flow Enforcement Technology to hider the effort of attackers to exploit security bugs on systems with Intel 11th Gen or AMD Zen 3 CPUs, running Windows 10 2004 or later.
The CET or Control-flow Enforcement Technology supports on Windows 10 systems after the installation of Hardware-enforced stack protection. It adds enhanced exploit protection for every compatible device.
Intel CET chipset is used by the Hardware-enforced stack protection to achieve security to all apps from the common exploits like Return-Oriented Programming (ROP) and Jump Oriented Programming (JOP).
Attackers use such exploits to hijack programs’ intended control flow so as to execute malicious code to escape the browser’s sandbox or execute code remotely upon visiting malicious websites designed by them.
The attackers are blocked by the help of Hardware-enforced Stack Protection on Windows 10 by triggering exceptions when it is found by the tool that the app’s natural flaw has been modified.
The Chrome Platform Security Team Engineer, Alex Gough, said, “With this mitigation the processor maintains a new, protected, stack of valid return addresses (a shadow stack). This improves security by making exploits more difficult to write. However, it may affect stability if software that loads itself into Chrome is not compatible with the mitigation.”
Google Chrome is not the first Chrome based web browser that supports the Hardware-enforced Stack Protection.
Jonathan Norman, after researching the vulnerability on Microsoft Edge, said, Microsoft Edge 90 added the Intel CET feature in the non-renderer processes.
Norman tweeted, “Edge 90 (Canary) now supports Intel’s CET non-renderer processes. If you have a fancy new processor gives it a try.”
Bravo and Opera are other Chrome browsers besides the Chrome and Microsoft Edge to adopt this security feature.
Furthermore, Mozilla is also looking to introduce including this feature to the web browser. However, there is no recent status update regarding this from the official.
Users using the Windows 10 with CET-compatible CPUs (Intel 11th gen or AMD Zen 3 Ryzen) can check if a browser hijacker utilizes this feature through the Task Manager. To do this, open Task Manager, go to the Details tab, right click on the column bar> Select Columns and then check the option Hardware-enforced Stack Protection. When enabled, a new column with Intel CET support will be added.