Google has announced that Chrome 90 implemented Hardware-Enforced Stack Protection – a new Windows 10 security improvement that keeps memory stacks safe from cybersecurity bad actors.
The role of this protective measure is to guard against ROP (return-oriented programming) malware attacks by using CPU hardware to protect a program’s code while running.
The chip manufacturer Intel has worked with Microsoft to deal with the issue that allowed for malware installation. Microsoft notes that Hardware-Enforced Stack Protection will only work with chips using Intel’s integrated CET (Control-Flow Enforcement Technology) instructions. CET implements “shadow stacks,” meant to control transfer operations while remaining isolated from the data stack to prevent tampering.
Return-oriented programming and jump-oriented programming (JOP) are standard exploit methods used by malicious software that essentially hijack software’s control flow and execute malicious code. These methods are also used to run remote code on web pages created to infect visitors’ devices. Hardware-Enforced Stack Protection detects these disruptions to block the attacks in time.
“With this mitigation, the processor maintains a new, protected stack of valid return addresses (a shadow stack). This improves security by making exploits more difficult to write,” wrote Chrome Platform Security Team engineer Alex Gough on Google’s Security Blog page. He also pointed out that these changes may impact the stability of the software loaded into Chrome if it’s not mitigation-compatible.
This may concern users who use Chrome VPN extensions while browsing the World Wide Web. Fortunately, Google has provided developers with the information necessary to debug any issues with Chrome’s shadow stack.
The security update, already implemented by Microsoft Edge and Google Chrome, is likely to be adopted by other browsers built on Chromium, like Brave and Opera. Mozilla has also announced Intel CET support for its browser Firefox.
If you have a CET-compatible CPU such as 11th Gen Intel Core or AMD Zen 3 Ryzen and you are a Windows 10 user, you can already see this security update take effect.