Microsoft’s Secured-Core PC Feature Protects Critical Code
Credit to Author: Lily Hay Newman| Date: Mon, 21 Oct 2019 15:00:00 +0000
The “secured-core PC” feature for Windows looks to head off firmware hacks.
There are lots of ways to hack a PC. You can exploit software vulnerabilities. You can put malware on a USB drive and drop it in a parking lot for some unsuspecting office worker to pick up and plug in. Or you can turn an operating system's features against itself, strategically manipulating them to gain control. But an expanding threat now has Microsoft rethinking some of its most foundational PC defenses.
Today the company is announcing a new hardware and system architecture feature known as secured-core PC, aimed at addressing attacks against firmware—the foundational code that coordinates hardware and software. Firmware has long been a hacker target, in part because it's typically written by hardware manufacturers rather than operating system developers, and frequently lacks basic protections. Windows runs atop all different types of firmware across the assorted PCs it's installed on, each of which offers varying quality and security. So Microsoft has a new scheme that rearchitects how Windows PCs boot up to catch malicious firmware manipulations before they give attackers keys to the kingdom.
"A lot of badness happens if your firmware goes wonky. Our internal red team and external folks have really turned their eyes to this," says David Weston, director of operating system security at Microsoft. "Firmware runs at a privileged level. It’s the thing that boots up the machine—it plays a critical role. Yet firmware is not integrated into update systems like Windows Updates, and for enterprises their visibility into firmware is generally relatively limited. So it's highly privileged and there’s lots of opportunities for bugs."
When you're booting up a computer, you want the system to confirm that it's running genuine software and that the operating system hasn't been compromised. Microsoft already offers Windows Secure Boot, a feature that checks for cryptographic signatures to confirm software integrity. But those defenses rely on trusting the firmware to scope everything else out. "When the PC starts, the firmware checks the signature of each piece of boot software," Microsoft explains of Secure Boot. But what if the firmware is lying?
The idea of secured-core PC is to take firmware out of that equation, eliminating it as a link in the chain that determines what's trustworthy on a system. Instead of relying on firmware, Microsoft has worked with AMD, Intel, and Qualcomm to make new central processing unit chips that can run integrity checks during boot in a controlled, cryptographically verified way. Only the chip manufacturers will hold the encryption keys to broker these checks, and they're burned onto the CPUs during manufacturing rather than interacting with the firmware's amorphous, often unreliable code layer.
"It's rooted in the CPU and no longer in the firmware, because it still boots early," Weston says. "But if there's anything tampered with, the system code would identify this and shut everything down. So we're taking firmware and any potential compromise out of the circle of trust."
Microsoft already does something similar in Xbox, which is known to be a particularly secure ecosystem. And Cisco uses a type of chip called a Field Programmable Gate Array to implement its secure boot instead of firmware. In newer iPhones, Apple also uses special hardware checks set up in its custom-built, ARM-based chips to catch any funny business as soon as the processor gets power. But in all of those situations, the same company oversees development of both hardware and software, making those integrations more practical. With Windows, Microsoft can coordinate with chipmakers, it but doesn't manufacture the devices the operating system will ultimately run on.
The fact that secured-core PC requires special hardware means that it can't be added to existing Windows devices as a software update. But Microsoft says it will ship with the new Surface Pro X next month and that other models will eventually come out from Dell, Dynabook, HP, Lenovo, and Panasonic, mostly on high end and enterprise devices. Secured-core PCs will also have an identifying sticker, so that you know what you're getting the next time you buy.
Firmware insecurity has been an increasing area of concern over the last decade, and in the past few years real-world firmware attacks have begun to ramp up. The Russian-backed hacking group APT28—often known as Fancy Bear, and notorious for perpetrating the 2016 breach of the Democratic National Committee—was spotted using firmware-hacking malware in late 2018.
"We're taking firmware and any potential compromise out of the circle of trust."
David Weston
Weston thinks hackers have increasingly targeted firmware as better protections make basic attacks harder to pull off. In particular, Weston points to Microsofts's Virtualization-based Security, launched with Windows 10 in 2015. Similar to a so-called secure enclave, which uses either part of a computer's memory or an entire discrete chip to act as a sort of digital safe, VBS is a secure "virtual machine" that isolates a portion of memory for its own use. But a firmware vulnerability would let hackers circumvent VBS protections. Secured-core PC closes that loophole.
It's important to keep in mind, though, that the root of trust has to start somewhere. "If we look at the history of secure hardware, we’ve never actually made an example of a hardware protection that was infallible and implemented code by humans without any bugs and potential risks," says Ang Cui, founder of the embedded device security firm Red Balloon and a longtime firmware and hardware security hacker. "And there's a whole other universe of firmware in a PC beyond the CPU, like say in the Bluetooth chip set or the hard drive controller or whatever. There's lots of firmware to attack."
Secured-core PC may, for instance, put too much trust in chipmakers. Any mistakes implementing the scheme, or a hack that gives up encryption keys, could undermine the whole root of trust. And since the most secret components are hard-coded into the CPU, no software update could mitigate those potential problem. These hardware security scenarios have played out before; Red Balloon's research into undermining a secure enclave scheme known as the Cisco Trust Anchor is a recent example.
Microsoft's Weston says the company will welcome findings from researchers outside of the company on any bugs or issues with secured-core PC that Microsoft can fix. "We're never going to say it’s impossible that something could be compromised," he adds. "But we always want to drive the cost up, so it’s prohibitive for most adversaries."
Given the vast proliferation of Windows computers worldwide, it's certainly worth a shot.