Microsoft releases early preview of 'hardware-enforced stack protection' feature for Windows 10 Insider previews builds

Hardware-enforced stack protection uses a combination of modern CPU hardware and 'shadow stacks' to protect app code from cyber attacks

Microsoft has announced a new 'hardware-enforced stack protection' feature for its Window operating system that, it claims, will help to improve protection against cyber attacks.

According to Microsoft, this new feature enables apps to utilise the local CPU hardware to protect their code from attacks, while that code is executed inside the CPU's memory.

The security feature is currently under development, and only an early preview of it is available for Windows 10 Insider previews builds (fast ring).

"We aim to make Windows 10 one of the most secure operating systems for our customers and to do that we are investing in a multitude of security features," said Hari Pulapaka, manager for the Microsoft Windows Kernel Group.

According to Pulapaka, the main task of the new feature will be to enforce strict management of the memory stack. In computing architectures, stacks refer to memory areas where data is added or removed in a last-in-first-out manner.

The 'Hardware-enforced stack protection' feature intends to use a combination of modern CPU hardware and shadow stacks (intended execution flow of the programme code) in order to achieve memory stack management.

Microsoft says this will prevent a malicious programme from exploiting common memory flaws, such as uninitialised variable, stack buffer overflows, or dangling pointers, in order to execute arbitrary native code on target machines.

The system will simply ignore the changes that don't match the shadow stacks, thereby thwarting any exploit attempt.

"This technology provides parity with programme call stacks, by keeping a record of all the return addresses via a Shadow Stack," Pulapaka explained.

"On every CALL instruction, return addresses are pushed onto both the call stack and shadow stack, and on RET instructions, a comparison is made to ensure integrity is not compromised. If the addresses do not match, the processor issues a control protection (#CP) exception. This traps into the kernel and we terminate the process to guarantee security."

The new security feature will work only on chipsets that have enabled Intel's Control-flow Enforcement Technology (CET) instructions.

Developers with Intel CET-capable hardware can enable the linker flag on their application to test the feature with the latest Windows 10 insider builds.