Security news that informs and inspires

Microsoft’s Secured-core PC Takes Aim at Firmware Attacks

By

Operating system integrity checks will happen on the chip-level, not firmware.

There are many ways to defend against software attacks on Windows 10, such as running antivirus to detect and remove malware, configuring the firewall to block malicious traffic, and patching the system to close security vulnerabilities. On the flip side, there aren't a lot of ways to defend against firmware attacks, where the malware targets the code that runs underneath the operating system.

Firmware refers to the code that is installed on the chip that controls the hardware and software when the computer is starting up. The code executes before the operating system and other system drivers, so its activities are essentially invisible to the operating system and other security tools. If an attacker manages to infect the firmware—by exploiting a vulnerability in the firmware code or overwriting with a malicious version—the attack code is persistent. It remains on the system even after rebooting the machine, reinstalling the operating system, or replacing the hard drive.

Firmware-based attacks are on the rise, as nation-state actors and other sophisticated attack groups add this technique to their arsenal of tools. Protecting the device against firmware attacks require the hardware and software to work together. Apple relies on its custom ARM-based chips to verify the operating system code hasn't been maliciously modified during boot-up, and it can do so because the company controls both the hardware and software. Microsoft doesn't have that luxury, as its Windows operating system can run on a wide variety of hardware with different firmware.

Secured-core PC is Microsoft's attempt to exert some control over the hardware. As part of the new initiative, Microsoft will work with chip makers and PC manufacturers on a new hardware and system architecture that embeds security defenses right in the chip. Secured-core PCs will boot securely, protect the firmware from being modified, shield the operating system from attacks, prevent unauthorized access to devices and data, and ensure identity and domain credentials are protected, David Weston, Microsoft's partner director of operating system security, wrote on the Windows Security blog. Microsoft will accomplish this long list by weaving Windows 10 security technologies with new chips from AMD, Intel, and Qualcomm.

“Secured-core PCs combine identity, operating system, hardware and firmware protection to add another layer of security underneath the operating system," Weston wrote. "Unlike software-only security solutions, Secured-core PCs are designed to prevent these kinds of attacks rather than simply detecting them.”

Microsoft has been experimenting with different methods to make sure the operating system hasn't been modified, such as Windows Secure Boot and Trusted Platform Module. Administrators use the Trusted Platform Module to verify the device booted securely. Secure Boot relies on the firmware to check that the operating system's cryptographic signatures are still valid, but if the firmware itself has been tampered with, Secure Boot is no longer effective.

Compromised firmware can undermine secure boot and other security features, making it "more difficult to identify when a system or user has been compromised," Weston wrote.

Secured-core PC takes the job of checking for software integrity away from the firmware and gives it to the new CPUs from AMD, Intel, and Qalcomm. The chip will perform the integrity checks during boot, using instructions that were burned into the CPUs during manufacturing. The code will be digitally signed with encryption keys owned by the manufacturer, making interception harder.

Microsoft's new initiative combines the latest chip technology with security features in Windows 10 as Secured-core PCs use Windows Hello for password-less authentication. The new chips also use Windows Defender's System Guard Secure Launch to start the operating system’s boot loader and initializes the system into a trusted state. Microsoft isolated a portion of memory to handle this process and to keep malware out of the computer’s kernel and other sensitive functions.

The concept is similar to how Microsoft secures its Xbox gaming consoles. Microsoft will be able to assert more control over the hardware Windows 10 gets installed on. With this initiative, Microsoft will be coordinating what needs to be on the hardware level with its partners.

One thing to remember, that Secured-core PCs require the new types of chips, so existing Windows 10 devices cannot take advantage of this level of security. The flip side is that if issues are found in the chips, no amount of software updates would be able to fix the problem since the components are hard-coded into the CPU.

With Secured-core PCs, Microsoft applied "security best practices of isolation and minimal trust to the firmware layer," Microsoft's Steve Clarke wrote on the Windows blog.

Secured-core PCs are designed for industries where workers handle intellectual property or sensitive user data, such as is the case in financial services, government, and healthcare. Secured-core PCs will be available from major PC makers including Dell, Dynabook, HP, Lenovo, and Panasonic, mostly on high-end and enterprise systems in the coming year. Microsoft's Surface Pro X and HP's Elite Dragonfly will be among the first Secured-core PCs available.