Related Intel Security Featuresand Technologies
There are security features and technologies, either present in existing Intel products or planned for
future products, which reduce the effectiveness of the attacks mentioned in the previous sections.
4.1 Intel® OS Guard
When Intel® OS Guard, also known as Supervisor-Mode Execution Prevention (SMEP), is enabled, the
operating system will not be allowed to directly execute application code, even speculatively. This
makes branch target injection attacks on the OS substantially more difficult by forcing the attacker to
find gadgets within the OS code. It is also more difficult for an application to train OS code to jump to
an OS gadget. All major operating systems enable SMEP support by default.
4.2 Execute Disable Bit
The Execute Disable Bit is a hardware-based security feature that can help reduce system exposure to
viruses and malicious code. Execute Disable Bit allows the processor to classify areas in memory
where application code can or cannot execute, even speculatively. This reduces the gadget space,
increasing the difficulty of branch target injection attacks. All major operating systems enable Execute
Disable Bit support by default.
4.3 Control flow Enforcement Technology (CET)
On future Intel processors, Control flow Enforcement Technology will allow limiting near indirect jump
and call instructions to only target ENDBRANCH instructions. This feature can reduce the speculation
allowed to non-ENDBRANCH instructions. This greatly reduces the gadget space, increasing the
difficulty of branch target injection attacks.
For additional information on CET, see the Control-flow Enforcement Technology Preview located here:
https://software.intel.com/sites/def...gy-preview.pdf
4.4 Protection Keys
On future Intel processors that have both hardware support for mitigating Rogue Data Cache Load and
protection keys support, protection keys can limit the data accessible to a piece of software. This can
be used to limit the memory addresses that could be revealed by a branch target injection or bound
check bypass attack.
7 Document Number: 336983-001, Revision 1.0
4.5 Supervisor-Mode Access Prevention (SMAP)
Supervisor-Mode Access Prevention (SMAP) can be used to limit which memory addresses can be used
for a cache based side channel, forcing an application attacking the kernel to use kernel memory
space for the side channel. This makes it more difficult for an application to perform the attack on the
kernel as it is more challenging for an application to determine whether a kernel line is cached than an
application line.