Google has revealed Chrome 90 has adopted a new Windows 10 security feature called “Hardware-enforced Stack Protection” to protect the memory stack from attackers.
Hardware-enforced Stack Protection, which Microsoft previewed in March 2020, is designed to protect against return oriented programming (ROP) malware attacks, by using CPU hardware to protect an application’s code while running inside CPU memory.
The added protection is enabled in Chrome 90 on Windows 20H1 with December update or later, and on Intel 11th Gen or AMD Zen 3 CPUs, which feature Control-flow Enforcement Technology (CET).
SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)
For several years Intel and Microsoft have been working on CET to thwart ROP attacks, which can bypass existing memory-exploit mitigations to install malware.
CET introduces “shadow stacks”, which are used exclusively for control transfer operations. These shadow stacks are isolated from the data stack and protected from tampering.
Intel explained in its document on CET: “When shadow stacks are enabled, the CALL instruction pushes the return address on both the data and shadow stack. The RET instruction pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor signals a control protection exception (#CP).”
Google’s Chrome platform security team warns that the shadow stack might cause problems for some software loaded into Chrome.
“[CET] improves security by making exploits more difficult to write. However, it may affect stability if software that loads itself into Chrome is not compatible with the mitigation,” the Chrome security team notes.
Google, however, has also provided details for developers who need to debug a problem in Chrome’s shadow stack. Developers can see which processes have Hardware-enforced Stack Protection enabled in Windows Task Manager.
Google describes ROP attacks as where “attackers take advantage of the process’s own code, as that must be executable.”
The Chrome team explain how CET in Chrome works on Windows, with the operating system handling the comparison of return addresses from the “normal” stack and the shadow stack. If they don’t match, Windows raises an exception.
“Along with the existing stack, the cpu maintains a shadow stack. This stack cannot be directly manipulated by normal program code and only stores return addresses,” the Chrome team explains.
“The CALL instruction is modified to push a return address (the instruction after the CALL) to both the normal stack, and the shadow stack. The RET (return) instruction still takes its return address from the normal stack, but now verifies that it is the same as the one stored in the shadow stack region. If it is, then the program is left alone and it continues to work as it always did. If the addresses do not match then an exception is raised which is intercepted by the operating system (not by Chrome).”
SEE: Google: Here’s how we’re toughening up Android security
The operating system has an opportunity to modify the shadow region and allow the program to continue, but in most cases an address mismatch is the result of a program error so the program is immediately terminated, Google explained.
Microsoft in February also released developer guidance for Hardware-enforced Stack Protection. Microsoft’s Chromium-based Edge from version 90 has enabled the protection in “compatibility mode”.