Thu. Apr 2nd, 2020

Microsoft is developing Hardware-enforced Stack Protection for Windows 10

2 min read

Microsoft has announced a new feature under development for Windows 10, called “Hardware-enforced Stack Protection”, designed to enhance the overall security of systems and devices.

As the name implies, this function mainly protects the data from being hijacked by protecting the stack, but the function actually depends on the relevant technology of modern processors.

Microsoft said that mandatory stack protection uses a combination of modern processors and shadow stacks to strictly manage stack data in memory to prevent leaks.

“Intel ® 6402 Advanced Memory Buffer” by brit_robin is licensed under CC0 1.0 

Microsoft explains:

“Hardware-enforced Stack Protection offers robust protection against ROP exploits since it maintains a record of the intended execution flow of a program. To ensure smooth ecosystem adoption and application compatibility, Windows will offer this protection as an opt-in model, so developers can receive this protection, at your own pace.”

Microsoft says that it is developing mandatory stack protection against common memory error attacks, such as stack buffer overflows, null pointers, or uninitialized variables.

If an attacker attempts to use malicious software to hijack the code of other software, these known vulnerabilities could allow the attacker to hijack the normal running process of the corresponding software.

But by reading and comparing the data in the stack through the shadow stack function, it can be detected that the actual data in the stack is different from the data in the shadow stack.

This situation will be judged by the system as detecting an attack and will directly ignore any abnormal stack data, thus effectively preventing malware from exploiting the vulnerability.

Microsoft states that this feature is still in the early development and preview stages, and an early preview version is already available in Windows 10 Insider previews builds (fast ring).

Developers pursuing high security and developers of key areas of application can test in advance, that is, deploy new connector flags in the application.

This flag will set the corresponding attribute in the PE header to request the system kernel to provide protection to the executable file. For details, please click here to view Microsoft’s detailed documentation.