Intel today announced the rollout of the fourth generation of its Xeon family of server chipsets, detailing several new features under the company\u2019s confidential computing umbrella of security features. Improvements to Intel\u2019s trusted execution environment and a new technique for combatting jump- and return-oriented programming attacks were the most notable upgrades.Xeon\u2019s fourth generation introduces a number of new features across the board, including marked improvements to energy efficiency, AI processing, and edge workload handling, but the security side\u2019s highlights are virtual machine (VM) isolation technology and control flow enforcement. The former technique provides hardware-level VM isolation, without the need for hypervisor oversight \u2014 instead of a single app living inside of a trusted environment, a whole VM can live there.There are plenty of options for trusted execution environments in other areas of the stack, but Intel fellow Amy Santoni, the company\u2019s chief Xeon security architect, said that not all of them offer the same capabilities or meet the same standards.Intel aims to secure virtual environments\u201cIt depends on your goals for a trusted environment,\u201d she said. \u201cIf you look at the cloud today, you can have multiple tenants running on the same hardware with virtualization technology, but in just a regular cloud environment, the hypervisor still has access to all those VM\u2019s data if you allow them to \u2014there\u2019s nothing at a hardware level to prevent a VM from accessing data.\u201dThat isolation is provided via Intel\u2019s Trust Domain Extensions framework, which already works with Azure, Google Cloud, Alibaba and IBM \u2014 no timeline was provided for AWS integration at the time of this writing.Control flow enforcement is a feature that Intel has already implemented in its endpoint-focused Core line of processors, but is new to the Xeon family, aimed at stamping out a family of cyberattack techniques called return-oriented and jump-oriented programming. The idea with such attacks is to rearrange the order in which pieces of code are provided back to the application, for malicious purposes.\u201cSo I can take snippets of real, released code but I\u2019m able to manipulate their order,\u201d explained Santoni.Control flow enforcement, however, adds a secondary or \u201cshadow stack\u201d to the normal stack used to order the execution of instructions. It\u2019s completely inaccessible to programmers, so, the idea goes, it can\u2019t be manipulated by a bad actor. The order of instructions is compared to the \u201cshadow stack,\u201d which throws an error if they\u2019re not in the correct sequence.Finally, Intel\u2019s already-announced Project Amber is present in Xeon\u2019s fourth generation. This is what the company describes as an out-of-station capability for its trusted execution environment, allowing users to validate that their workloads are running on Intel hardware, regardless of information provided by cloud service provbiders.\u201cThe idea is to provide customers the ability to validate the configuration of the environment they\u2019re running in,\u201d said Santoni. \u201cIt doesn\u2019t mean that the CSP\u2019s don\u2019t provide that, it\u2019s an additional option \u2014 when you buy a used car from a dealer, you [still] might want to take it to an independent mechanic.\u201dThe nearly 50 different SKUs in the fourth-generation Xeon family are available for preorder from February 15.