Chrome on Windows turns on Intel, AMD chip-level defenses against malicious websites

Version 90 of Google's Chrome browser includes a bit of extra security for users of recent versions of Windows and the latest x86 processors, in the form of hardware-enforced stack protection.

This basically means that, if your PC supports it, it's a bit harder for malicious websites to exploit bugs in Chrome to hijack your computer.

Released in April, Chrome 90 supports Intel’s Control-flow Enforcement Technology (CET) [PDF], a processor-based defense against exploits that use something like Return Oriented Programming (ROP) to violate a program's control-flow integrity (CFI).

ROP is a code-reuse attack. It involves bouncing the CPU core between snippets of instructions in an application to form a malicious program. Think of it like cutting letters or words out of a newspaper to spell out a ransom note. You stitch together different parts of the software under attack to do things like disable security measures, or open a backdoor, or spawn some other malware.

This is done by writing specific return addresses onto the stack so that each time the processor executes a RET instruction to leave a subroutine, the CPU core is taken to another block of code chosen by the attacker. You can search the program for sequences of instructions, called gadgets, that perform particular tasks – such as writing to memory or making a system call – that end in a RET. And so you can chain together a series of these gadgets, sequenced by the return addresses in the manipulated stack, to achieve what you want on the compromised system.

ROP attacks can be thwarted by using ASLR that randomizes where in memory these gadgets can be found, though it's not bulletproof and attacks like BlindSide can be used to bypass KASLR (kernel ASLR).

CET debuted last year in Intel's Tiger Lake chips and in AMD Zen 3 processors to make CFI-style attacks like ROP more difficult. The Windows code necessary to support this hardware-based mitigation surfaced as a preview in March last year and in November landed with the 11C latest cumulative update for the 20H1 (19041) and 20H2 (19042) versions of Windows 10.

CET tries to prevent ROP by implementing a shadow stack, a read-only memory region that maintains a record of the primary stack in order to assure the proper control-flow of any program. If an exploit overwrites the main stack with malicious values to hijack the flow of the program, this should be evident to the processor when it inspects the shadow, and can terminate the program before any damage is done.

"On supported hardware, call instructions push the return address on both stacks and return instructions compare the values and issues a CPU exception if there is a return address mismatch," explained Jin Lin, program manager for Microsoft Azure and Windows Kernel, in a note in February.

Now Google has activated CET support in Chrome 90. As Google Chrome security engineer Alex Gough observed, this is particularly promising because one of Chrome's defenses, its multi-process architecture, can be overcome by ROP attacks.

That's because code libraries may be mapped at the same virtual memory address in different processes on Windows, which gives an attacker capable of reading an application's memory the opportunity to determine where Chrome's common libraries are in its own memory space, and thus the location of weaponizable ROP gadgets.

While CET may make CFI exploits more difficult to write, says Gough, there are limitations. Control-flow integrity concerns itself with two possible approaches: one deals with the forward-edge of the call graph, specifically indirect calls, and the other deals with the backward-edge of the call graph, handling return instructions.

• RIP ROP, COP, JOP? Intel to bring anti-exploit tech to market in this year's Tiger Lake chip family
• RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level
• Microsoft joins Bytecode Alliance to advance WebAssembly – aka the thing that lets you run compiled C/C++/Rust code in browsers
• Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue

Chrome's CET implementation only deals with the backward-edge (subroutine returns) so it still will be possible to make indirect jumps without any shadow stack validation. Gough said Windows' Control Flow Guard (CFG) technology can help bridge this gap to verify the target of an indirect function call, and Google plans to add CFG support to Chrome for Windows eventually.

The other issue is that of compatibility. Chrome's CET implementation "may affect stability if software that loads itself into Chrome is not compatible with the mitigation," said Gough.

Those who find Chrome is off its game may wish to disable /cetcompat using the Image File Execution Options, which Gough said generally isn't recommended though is fine for testing.

The Windows Task Manager will show whether a process has hardware-enforced stack protection active.

"Open task manager, open the Details Tab, Right Click on a heading, Select Columns & Check the Hardware-enforced Stack Protection box," explained Gough. "The process display will then indicate if a process is opted-in to this mitigation. 'Compatible Modules Only' indicates that any dll marked as /cetcompat at build time will raise an exception if a return address is invalid." ®