Microsoft debuts hardware-rooted security for foiling firmware attacks

Microsoft partnered with mainstream chip and computer makers to deliver hardware protection of firmware right out of the box: the so-called Secured-core PCs are aimed at foiling attackers who rely on exploiting firmware vulnerabilities to surreptitiously gain access to computer systems.

Firmware is an attractive target

Attackers are always looking for new and easier ways to compromise target systems, as well as ways to keep that compromise concealed from the system owners for as long as possible.

“Firmware is used to initialize the hardware and other software on the device and has a higher level of access and privilege than the hypervisor and operating system kernel thereby making it an attractive target for attackers,” David Weston, MSFT Director of OS Security, explained.

“Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised. Compounding the problem is the fact that endpoint protection and detection solutions have limited visibility at the firmware layer given that they run underneath of the operating system, making evasion easier for attackers going after firmware.”

Protections implemented in Secured-core PCs

The new Secured-core PCs – developed and sold by Lenovo, Panasonic, Dell, HP, Dynabook and Microsoft – include protections against firmware and kernel attacks, as well as basic integrity protections such as Secure Boot (makes sure that a device boots using only software that is trusted by the OEM), Trusted Platform Module 2.0 (hardware-based, security-related functions) and BitLocker (drive encryption).

The firmware protections provided include System Guard Secure Launch and System Guard SMM protections.

“System Guard uses the Dynamic Root of Trust for Measurement (DRTM) capabilities that are built into the latest silicon from AMD, Intel, and Qualcomm to enable the system to leverage firmware to start the hardware and then shortly after re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path,” Weston explained.

This not only limits the trust assigned to firmware but also helps to protect the integrity of the virtualization-based security (VBS) functionality implemented by the hypervisor from firmware compromise.

“Protecting VBS is critical since it is used as a building block for important OS security capabilities like Windows Defender Credential Guard which protects against malware maliciously using OS credentials and Hypervisor-protected Code Integrity (HVCI) which ensures that a strict code integrity policy is enforced and that all kernel code is signed and verified,” he pointed out.

When Windows is running, System Guard SMM protections monitor and restrict the functionality of potentially dangerous firmware functionality accessible through System Management Mode (SMM).

Microsoft says Secured-core PCs are ideal for companies in the financial services, government and healthcare industries and, in general, for workers that handle data that’s attractive to nation-state attackers (sensitive company data, intellectual property, customer or personal data).