Control-flow Enforcement Technology, better known as CET, is a new hardware-based security measure that was designed in 2016. However, it was not until 2020 that it began to reach processors. This security measure combines several hardware-based techniques, already existing in current processors, to be able to detect any suspicious activity in the memory of any program and block it automatically.
This security measure is primarily intended to protect us from Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) computer attacks. These attacks are used to modify the execution flow of any application so that the system loads a malicious executable instead of the program we were actually trying to open.
ROP and JOP attacks are especially difficult to detect because attackers use code that is already running in memory in a very creative way so as not to raise suspicions when running inside the system. Therefore, antivirus and other security tools, unless they make other strange changes and call the attention of heuristics, are not able to detect problems.
Generally, these attacks can bypass the sandbox of browsers, or directly execute code just by visiting a website. The Windows Task Manager allows us to easily see if each process has a hardware-based layer of protection.
Microsoft confirmed that the 2004 version of Windows 10 introduced support for CET. So that it could detect these possible attacks directly from memory before they were executed. Microsoft has also opened the door for any program running on the PC to support this new security measure just by compiling it with the «/ CETCOMPAT» parameter from Visual Studio.
A new vulnerability detected in Edge has revealed that Microsoft has already added support for CET in the Canary version of it. Specifically in Edge 90. All Chromium-based browsers use various processes to speed up their operation. Each one is in charge of a different task. Thus, Intel CET will control the processes of the browser, GPU, plug-ins, and extensions to prevent anything from interfering with these processes.
The changes required to enable this feature have not only come to Edge but have come directly to Chromium. This means that any browser based on it, such as Chrome or Opera, will receive this security measure very soon. Mozilla also wants to implement it within Firefox, although at the moment there is not much information about it.
The first thing we will need to be able to use this new security measure is to use Windows 10. And not just any version, but the latest version of the operating system, since that will be the only way for everything to work properly.
Also, not all processors are compatible with it. You must have an Intel 11th generation CPU to enjoy CET. Previous generations of these processors do not have this security measure, even though they are the highest-end processors. In AMD's case, the Zen 3 Ryzen processors also have CET support.
Edge and Chrome 90 will reach all users on April 13, 2021, and with them, support for CET, provided we comply with the above.