Microsoft Brings Zero Trust to Hardware in Windows 11


Microsoft released a big PDF on Tuesday detailing new security-focused features in Windows 11, with a focus on zero-trust support.

For a few years now, Microsoft, Google, and Amazon have been working with the US federal government to improve cybersecurity through zero trust, among other techniques. It’s no coincidence that these are the big three cloud service providers, of course; they are in the best position to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security down the stack where its cloud rivals can’t follow: firmware.

Hardware security under attack

Although network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Firmware flaws in processors, printers, and other hardware can open the door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that sneaks into silicon is hard to dislodge.

“These new threats require hardware that is secure to the core, including hardware chips and processors that store sensitive business information,” Microsoft said. in the new report. “With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone.” Besides the added strength of the protection, Microsoft is touting less lag by using hardware-based protection compared to running it in software.

The basis of embedded hardware security is a partnership between hardware root of trust and silicon-assisted security.

Root of Trust Hardware

The material root of trust is, by definition, “a starting point that is implicitly trusted.” In the case of a PC, it is the part that checks the BIOS code to make sure it is legitimate before booting. And anyone who has had to remove malware from a machine with an infected BIOS knows how vital this is.

New security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system in a separate secure area. Microsoft requires that a Trusted Platform Module (TPM) 2.0 chip be installed on new and upgraded Windows 11 machines. The company had required TPM 2.0 features on all new Windows 10 machines, but the latest version of Windows won’t work even if the PC doesn’t have a TPM 2.0 security chip.

“With hardware-based isolation security that begins at the chip level, Windows 11 stores sensitive data behind additional barriers separate from the operating system,” Microsoft writes in its new report. “As a result, information, including encryption keys and user credentials, is protected against unauthorized access and tampering.”

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluto security processor on the system-on-chip. Although Pluto is not brand new – it was Overview in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluto chip, but they will all have a TPM 2.0 chip.

Silicon-Assisted Security

Silicon-assisted security measures in Windows 11 begin with a secure kernel created using virtualization-based security (VBS). “The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory,” Microsoft wrote. “Even if malware gains access to the main core of the operating system, the hypervisor and virtualization hardware help prevent malware from executing unauthorized code or gaining access to platform secrets within the operating system. ‘VBS environment.”

Hypervisor Protected Code Integrity (HCVI) uses VBS to check the validity of code in the secure VBS environment rather than in the main Windows kernel. Kernel Mode Code Integrity (KMCI), as it’s called, fends off attempts to modify drivers, etc. KMCI verifies that all kernel code is properly signed and has not been modified before allowing it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

Another measure of protection against attacks such as memory corruption and zero-day exploits is provided by hardware-enhanced stack protection. “Based on Intel’s Controlflow Enforcement Technology (CET) and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that attempt to hijack return addresses on the stack,” Microsoft explained. To do this, the operating system creates a “shadow stack”, separate from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft’s line of secure-core PCs will only run executables signed by “known and trusted authorities” and prevent devices external devices from accessing memory without permission.

Even greater firmware protection comes from Windows 11’s universal implementation of the Unified Extensible Firmware Interface (UEFI) secure boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to verify if boot subversion attempts have been made.

UEFI isn’t unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) which checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use firmware attack surface reduction instead of DRTM.

Silicon-Assisted Security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. Home editions will have some of these protections, but not the full list. See Microsoft website for comparisons.


About Author

Comments are closed.