Intel CET for Browsers

Chromium-based browsers such as Microsoft Edge and Google Chrome will soon support the Intel CET security feature to prevent a wide range of vulnerabilities.

Intel’s Control-flow Enforcement Technology (CET) is a hardware security feature initially introduced in 2016 and added to Intel’s 11th generation CPUs in 2020.

The CET feature is designed to protect programs from Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks that modify an application’s normal flow so that an attacker’s malicious code is executed instead.

These vulnerabilities include attacks that bypass a browser’s sandbox or perform remote code execution while visiting web sites. Intel CET is a hardware-based solution that blocks these attempts by triggering exceptions when the natural flow is modified.

Chromium-browsers getting Intel CET support

Windows 10 supports Intel CET through an implementation called Hardware-enforced Stack Protection. For Windows applications to support this feature, they must first be compiled with the /CETCOMPAT linker flag in Visual Studio. When compiled with this flag, a program will be marked as CET Shadow Stack-compatible and opted into the security protection.

This security feature does not appear to be specific to Microsoft Edge but is coming to all Chromium browsers, including Google Chrome, Brave, and Opera.

Mozilla is also looking into adding support for Intel CET in Firefox, but there has been no recent status update for their implementation.

Windows 10 users running Intel 11th generation CPUs or AMD Zen 3 Ryzen CPUs, which also support CET, can use the Windows Task Manager to check if a process utilizes the hardware security feature.