Breaking News

Razer Unveils the Ultra-Lightweight DeathAdder V4 Pro Sony launches a high-resolution shotgun microphone with superior sound quality and compact design. Arctic announces New Liquid Freezer III Pro 280 and Pro 420 Silicon Power Launches Hypera microSDXC Express Card Samsung announces Watch8, Z Fold7 and Z Flip7

logo

  • Share Us
    • Facebook
    • Twitter
  • Home
  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map

Search form

Microsoft and Partners Build Firmware Protection into Secured-core PCs

Microsoft and Partners Build Firmware Protection into Secured-core PCs

Enterprise & IT Oct 21,2019 0

To combat threats specifically targeted at the firmware and operating system levels, Microsoft announced a new initiative with its partners to design what they call Secured-core PCs.

These devices meet a specific set of device requirements that apply the security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system. These devices are designed for industries like financial services, government and healthcare, and for workers that handle highly-sensitive IP, customer or personal data, including PII as these are higher value targets for nation-state attackers.

In late 2018, security researchers discovered that hacking group, Strontium has been using firmware vulnerabilities to target systems in the wild with malware delivered through a firmware attack. As a result, the malicious code was hard to detect and difficult to remove – it could persist even across common cleanup procedures like an OS re-install or a hard drive replacement.

Firmware is used to initialize the hardware and other software on the device and has a higher level of access and privilege than the hypervisor and operating system kernel thereby making it an attractive target for attackers. Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised. Compounding the problem is the fact that endpoint protection and detection solutions have limited visibility at the firmware layer given that they run underneath of the operating system, making evasion easier for attackers going after firmware.

Secured-core PCs combine identity, virtualization, operating system, hardware and firmware protection to add another layer of security underneath the operating system. Unlike software-only security solutions, Secured-core PCs are designed to prevent these kinds of attacks rather than simply detecting them. Windows Defender System Guard and Secured-core PC devices are designed to provide the ecosystem of Windows 10 devices with uniform assurances around the integrity of the launched operating system and verifiable measurements of the operating system launch to help mitigate against threats taking aim at the firmware layer.

The built-in measurements can be used by SecOps and IT admins to remotely monitor the health of their systems using System Guard runtime attestation and implement a zero-trust network rooted in hardware.

Starting with Windows 8, Microsoft introduced Secure Boot to mitigate the risk posed by malicious bootloaders and rootkits that relied on Unified Extensible Firmware Interface (UEFI) firmware to only allow properly signed bootloaders like the Windows boot manager to execute. However, since firmware is already trusted to verify the bootloaders, Secure Boot on its own does not protect from threats that exploit vulnerabilities in the trusted firmware.

Using new hardware capabilities from AMD, Intel, and Qualcomm, Windows 10 now implements System Guard Secure Launch as a key Secured-core PC device requirement to protect the boot process from firmware attacks. System Guard uses the Dynamic Root of Trust for Measurement (DRTM) capabilities that are built into the latest silicon from AMD, Intel, and Qualcomm to enable the system to leverage firmware to start the hardware and then shortly after re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path. This mechanism helps limit the trust assigned to firmware and provides powerful mitigation against targeted threats against firmware. This capability also helps to protect the integrity of the virtualization-based security (VBS) functionality implemented by the hypervisor from firmware compromise. VBS then relies on the hypervisor to isolate sensitive functionality from the rest of the OS which helps to protect the VBS functionality from malware that may have infected the normal OS even with elevated privileges. Protecting VBS is critical since it is used as a building block for important OS security capabilities like Windows Defender Credential Guard which protects against malware maliciously using OS credentials and Hypervisor-protected Code Integrity (HVCI) which ensures that a strict code integrity policy is enforced and that all kernel code is signed and verified.

Being able to measure that the device booted securely is another critical piece of this additional layer of protection from firmware compromise that gives admins added confidence that their endpoints are safe. That’s why Microsoft implemented Trusted Platform Module 2.0 (TPM) as one of the device requirements for Secured-core PCs. By using the Trusted Platform Module 2.0 (TPM) to measure the components that are used during the secure launch process, Microsoft help its customers enable zero trust networks using System Guard runtime attestation. Conditional access policies can be implemented based on the reports provided by the System Guard attestation client running in the isolated VBS environment.

In addition to the Secure Launch functionality, Windows implements additional safeguards that operate when the OS is running to monitor and restrict the functionality of potentially dangerous firmware functionality accessible through System Management Mode (SMM).

Beyond the hardware protection of firmware featured in Secured-core PCs, Microsoft recommends a defense-in-depth approach including security review of code, automatic updates, and attack surface reduction. Microsoft has provided an open-source firmware project called Project-Mu that PC manufactures can use as a starting point for secure firmware.

AMD said its upcoming Ryzen processors are Secured-core PC compatible.

Devices verified as Secured-core PC include those from Dell, Dynabook, HP, Lenovo and Panasonic.

Tags: MicrosoftCybersecuritySecured-core PCs
Previous Post
The First "Made in India" iPhones XRs Go On Sale
Next Post
Kingston Digital Introduces the Consumer-oriented KC600 and the Data Center 450R SSDs

Related Posts

  • Snapdragon X Series is the Exclusive Platform to Power the Next Generation of Windows PCs with Copilot+ Today

  • Activision Blizzard King to Team Xbox

  • NVIDIA Studio Lineup Adds RTX-Powered Microsoft Surface Laptop Studio 2

  • Samsung and Microsoft Unveil First On-Device Attestation Solution for Enterprise

  • Introducing Xbox Game Pass Core, Coming This September

  • Announcing the next wave of AI innovation with Microsoft Bing and Edge

  • Microsoft Announces Security Copilot AI

  • Microsoft breaks new ground in healthcare with the next evolution of AI

Latest News

Razer Unveils the Ultra-Lightweight DeathAdder V4 Pro
PC components

Razer Unveils the Ultra-Lightweight DeathAdder V4 Pro

Sony launches a high-resolution shotgun microphone with superior sound quality and compact design.
Cameras

Sony launches a high-resolution shotgun microphone with superior sound quality and compact design.

Arctic announces New Liquid Freezer III Pro 280 and Pro 420
Cooling Systems

Arctic announces New Liquid Freezer III Pro 280 and Pro 420

Silicon Power Launches Hypera microSDXC Express Card
Cameras

Silicon Power Launches Hypera microSDXC Express Card

Samsung announces Watch8, Z Fold7 and Z Flip7
Smartphones

Samsung announces Watch8, Z Fold7 and Z Flip7

Popular Reviews

be quiet! Light Loop 360mm

be quiet! Light Loop 360mm

be quiet! Dark Mount Keyboard

be quiet! Dark Mount Keyboard

be quiet! Light Mount Keyboard

be quiet! Light Mount Keyboard

Noctua NH-D15 G2

Noctua NH-D15 G2

Soundpeats Pop Clip

Soundpeats Pop Clip

be quiet! Light Base 600 LX

be quiet! Light Base 600 LX

Crucial T705 2TB NVME White

Crucial T705 2TB NVME White

be quiet! Pure Base 501

be quiet! Pure Base 501

Main menu

  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map
  • About
  • Privacy
  • Contact Us
  • Promotional Opportunities @ CdrInfo.com
  • Advertise on out site
  • Submit your News to our site
  • RSS Feed