Secured-core PCs offer new defense against firmware attacks

Remigio Civitarese
Ottobre 22, 2019

In an effort to protect users against firmware level threats, Microsoft has announced a new initiative the software giant has been working on with its partners to create Secured-core PCs.

The idea of secured-core PC is to take firmware out of that equation, eliminating it as a link in the chain that determines what's trustworthy on a system. Microsoft already offers Windows Secure Boot, a feature that checks for cryptographic signatures to confirm software integrity. The company specifically calls out Russian-based APT28 group (aka FancyBear, Strontium) for using firmware attacks that can reside on a device even if a user reinstalls Windows or installs a new hard drive. A Secured-core PC enables you to boot securely, protect your device from firmware vulnerabilities, shield the operating system from attacks and prevent unauthorized access to devices and data with advanced access controls and authentication systems.

Microsoft's solution is to use new PC processors from AMD, Intel and Qualcomm to essentially strip out the firmware from the boot up process, according to partner director for OS security David Weston. And Cisco uses a type of chip called a Field Programmable Gate Array to implement its secure boot instead of firmware. Unsurprisingly, Secured-core PCs aren't being targeted at normal consumers, but enterprise customers and individuals who need to make sure that their systems stay secure at all costs. It complements Microsoft's virtualization-based security (VBS), a kernel protection that debuted in Windows 10 back in 2015 and helps protect the hypervisor. The CPU processor on board will also authenticate and measure the security of the computer's firmware, which is then stored on a security module on board the chip, AMD said in today's announcement.

The appeal of the firmware-level malware is that it will still remain on a system after a reboot, offering attackers a persistent presence on systems in the face of usual procedures to remove malware. This is possible because the firmware has direct access to the hardware on your system and has priority access over the operating system. The SL then validates the platform configuration details by querying the hardware to get data from the DTRM Service. They're additionally meant for employees who deal with extremely delicate IP, buyer, or private information that poses higher-value targets for nationstate attackers. So System Guard Secure Launch supports paging protection to block undesired access to memory and a supervisor SMI handler that oversees SMM to protect its address space. Once that's done, the operating system's hypervisor will take over to ensure the code that's running in the OS kernel is legitimate.

But while Apple and Google can exercise control over their own hardware products - as Microsoft can with its Surface line of PCs - the firmware challenge is different for the diverse range of hardware that runs alongside the Windows operating system. "We recommend a defense-in-depth approach including security review of code, automatic updates, and attack surface reduction".

Microsoft said that the new requirements are based on the principles of minimal trust in PC firmware.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE