CrowdStrike revealed that it is using telemetry from Intel CPU to help detect and fight complex software exploits that evade standard OS-based defenses.
The CPU telemetry is powering a new Hardware Enhanced Exploit Detection feature in CrowdStrike’s Falcon platform, which will help detect complex attack techniques that are notoriously difficult to detect and expand memory safety protections on older PCs that lack modern anti-exploit mitigations, according to CrowdStrike.
CrowdStrike said “Once activated, the new feature detects exploits by analyzing suspicious operations associated with exploit techniques, such as shellcode injection, return-oriented programming,”
The new detection technology is included in CrowdStrike’s Falcon sensor version 6.27 and is available on systems with Intel CPUs from the sixth generation or newer running Windows 10 RS4 or later.
The new technology, according to CrowdStike security engineers, makes use of Intel Processor Trace (Intel PT), a CPU feature that delivers extensive telemetry that is useful for detecting and preventing of code reuse exploits.
Intel PT records code execution on the processor and is generally used for performance diagnosis and analysis but CrowdStrike has discovered a way to use telemetry to spot previously undetected signals of malicious activity.
CrowdStrike explained that “Intel PT allows the CPU to continuously write information about the currently executing code into a memory buffer, which can be used to reconstruct the exact control flow. The primary usage scenario is to trace an executable while it runs, store the trace on the disk and afterward analyze it to reproduce the exact sequence of instructions that has been executed. The program behavior visibility provided by this feature makes it useful for security exploit detection and investigation as well,”
CrowdStrike said that their Falcon sensor will enable execution tracing for a selected set of programs on machines with Intel Processor Trace enabled and supported. “Whenever the program executes a critical system service (like creating a new process), the sensor will analyze the captured trace to look for suspicious operations.
According to CrowdStrike, the new approach is already proving valuable, that has detected several return-oriented programming-based (ROP) exploit chains.
CrowdStrike said that by capturing the execution trace of an application, security software running in the kernel can now look for code reuse attacks by parsing the captured trace packets together with the executed instructions in the address space of the application.
“Many CPU features, such as Intel PT, are underutilized and can be efficiently leveraged to detect and prevent exploit.”