Microsoft has announced a new effort to combat firmware- and operating-system-level attacks on personal computers, announcing partnerships to launch what it is calling 'Secured-core PCs.'
A computer is more than just hardware and software: Firmware, from the UEFI BIOS all the way to network and sound cards, is a vital part of the mix. It's also a risk: Firmware runs even before a device driver is loaded, and malicious firmware can take full control of a system without a software-based anti-malware package being any the wiser.
'Firmware is used to initialise the hardware and other software on the device and has a higher level of access and privilege than the hypervisor and operating system kernel thereby making it an attractive target for attackers,' Microsoft's David Weston explains. 'Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised. Compounding the problem is the fact that endpoint protection and detection solutions have limited visibility at the firmware layer given that they run underneath of the operating system, making evasion easier for attackers going after firmware.'
The solution: A set of requirements which aim to prevent, rather than just detect, firmware-based attacks. 'Our investments in Windows Defender System Guard and Secured-core PC devices are designed to provide the rich ecosystem of Windows 10 devices with uniform assurances around the integrity of the launched operating system and verifiable measurements of the operating system launch to help mitigate against threats taking aim at the firmware layer,' Weston claims. 'These requirements enable customers to boot securely, protect the device from firmware vulnerabilities, shield the operating system from attacks, prevent unauthorised access to devices and data, and ensure that identity and domain credentials are protected.'
A Secured-core PC, Microsoft explains, is one which includes three layers of protection: Basic integrity protection, in the form of secure boot, Trusted Platform Module (TPM), and BitLocker data encryption functionality; protection from kernel attacks, in the form of virtualisation-based security (VBS), hypervisor-protected code integrity (HVCI), and protections against direct memory access to kernel memory; and protection from firmware attacks, including the new System Guard Secure Launch and System Guard System Management Mode (SMM) protections - both making use of secure enclaves built into processors from AMD, Intel, and Qualcomm.
'Our ecosystem partnerships have enabled us to add this additional layer of security in devices that are designed for highly-targeted industries and end-users who handle mission-critical data in some of the most data-sensitive industries like government, financial services, and healthcare, right-out-of-the-box,' adds Weston. 'These innovations build on the value of Windows 10 Pro that comes with built-in protections like firewall, secure boot, and file-level information-loss protection which are standard on every device.'
Not all PCs will be Secured-core PCs, however: Microsoft has announced that selected machines from Dell, Dynabook (Toshiba as-was), HP, Lenovo, and Panasonic will bear the mark, as will its own Surface family. More information is available on the Secured-core PC landing page.
September 17 2021 | 10:20