Firmware is the soft underbelly of Windows 10 security, but Microsoft has devised a plan to protect PCs from advanced persistent threat (APT) attackers who attempt to exploit vulnerabilities in firmware from Dell, HP and other OEMs across chipsets from Intel, AMD and Qualcomm.
Microsoft’s new “secured-core” project aims to deliver real-world protections against the very real threat posed by state-sponsored hacking groups like APT28 aka Fancy Bear, which was recently pegged for using the first known example of a Unified Extensible Firmware Interface (UEFI) rootkit to target Windows PCs.
The appeal of the firmware-level malware is that it will still remain on a system after a reboot, offering attackers a persistent presence on systems in the face of usual procedures to remove malware.
Microsoft’s technology will be of interest to any organization that could be targeted by APT28, who past victims include the Democratic National Committee (DNC) in 2016, and the World Anti-Doping Agency (WADA).
The company’s initiative attempts to bring to the diverse Windows hardware ecosystem what Apple delivers to the enterprise with its T2 security processor and Google has done in its Titan chip for Pixel smartphones.
But while Apple and Google can exercise control over their own hardware products — as Microsoft can with its Surface line of PCs — the firmware challenge is different for the diverse range of hardware that runs alongside the Windows operating system.
Interestingly, it’s Microsoft’s Xbox gaming console that has informed its new approach to hardware-level security and the defenses it wants to create for all Windows OEMs. Like Macbooks and Pixel hardware, the Xbox is vertically integrated technology that Microsoft controls.
“Google has done it with the Pixel and their Titan chip. The thing that makes Microsoft attractive to a lot of our customers is that they have a variety of hardware to choose from. And we don’t want to lose that. That’s part of the value of the Microsoft ecosystem,” David Weston, partner director of Windows security at Microsoft told CSO Online.
“We’ve done it on Xbox where we control the hardware and that’s similar to the Apple model and so how do we scale that out to deliver the same advanced security protections through hardware? And that’s where Microsoft is working with hardware and silicon providers to bring that. And we’re doing that across an enormous amount of devices,” he added.
The outcome is Windows Defender System Guard and Secured-core PC devices, which requires users have updated firmware, as well as configure the Windows 10 machines with the strictest security protections. But it does present security conscious organizations with a new option to lock down PCs with a high risk profile.
“The reason this is exciting is because we worked with the manufacturers to enable this. The really cool thing about this is that beyond performance and compatibility testing, they’re not only beautiful like the HP Dragonfly, but you don’t lose performance or have any user friction,” said Weston.
In other words, the user isn’t meant to notice these additional security measures, however security operations teams should be able to since they can, using System Guard, remotely monitor PCs and check for firmware attacks.
The key benefit is that the technology removes firmware from the boot process. It will be available with version 1909, the soon-to-be-released November 2019 Update. It will also only be available on new devices and there are no plans to update existing hardware. The first device that will ship with the technology is the Arm-based Surface Pro X tablet.
According to Microsoft, System Guard uses the “Dynamic Root of Trust for Measurement” (DRTM) in new silicon from AMD, Intel, and ARM to start hardware and then “re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path.”
The process mechanism restricts firmware and thus mitigates firmware-level attacks as well as protecting processes shielded by Microsoft’s virtualization-based security (VBS).
“VBS then relies on the hypervisor to isolate sensitive functionality from the rest of the OS which helps to protect the VBS functionality from malware that may have infected the normal OS even with elevated privileges. Protecting VBS is critical since it is used as a building block for important OS security capabilities like Windows Defender Credential Guard which protects against malware maliciously using OS credentials and Hypervisor-protected Code Integrity (HVCI) which ensures that a strict code integrity policy is enforced and that all kernel code is signed and verified.”