Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Invests in Securing Device Firmware

Microsoft is working with PC manufacturing and silicon partners to design devices with a more secure firmware layer.

The initiative aims to combat threats that are specifically targeting the firmware and operating system levels with the help of Secured-core PCs, devices that apply security best practices to firmware.

Microsoft is working with PC manufacturing and silicon partners to design devices with a more secure firmware layer.

The initiative aims to combat threats that are specifically targeting the firmware and operating system levels with the help of Secured-core PCs, devices that apply security best practices to firmware.

These devices, the technology giant explains, have been designed for industries such as financial services, government, and healthcare, as well as for those workers who handle highly-sensitive IP, customer or personal data.

Such data is of high value to nation-state attackers, and the Russian-linked hacking group Strontium has already been observed using firmware vulnerabilities in their attacks, thus making the malicious code hard to detect and difficult to remove.

The firmware, which initializes the hardware and other software on the device, has a higher level of access and privilege compared to the hypervisor and operating system kernel.

“Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised,” Microsoft notes.

On top of that, endpoint protection and detection solutions have limited visibility into the firmware, which makes evasion easier for attackers targeting this layer.

Secured-core PCs, the tech giant claims, can prevent such attacks because they combine identity, virtualization, operating system, hardware, and firmware protection. Thus, devices can boot securely and are protected from firmware vulnerabilities, and both the operating system and data are protected.

Advertisement. Scroll to continue reading.

Furthermore, SecOps and IT admins can leverage the built-in mechanism to remotely monitor system health and implement a zero-trust network rooted in hardware.

The first step Microsoft took to secure firmware was the introduction of Secure Boot in Windows 8, to mitigate risks such as bootloaders and rootkits. However, Secure Boot can’t protect from threats targeting vulnerabilities in the trusted firmware.

“Using new hardware capabilities from AMD, Intel, and Qualcomm, Windows 10 now implements System Guard Secure Launch as a key Secured-core PC device requirement to protect the boot process from firmware attacks,” Microsoft explains.

System Guard leverages Dynamic Root of Trust for Measurement (DRTM) capabilities found in the latest silicon from AMD, Intel, and Qualcomm to ensure the system re-initializes into a trusted state, limiting the trust assigned to firmware and delivering mitigation against threats targeting it.

The capability also aims to protect the integrity of the virtualization-based security (VBS) functionality of the hypervisor from firmware compromise.

“VBS then relies on the hypervisor to isolate sensitive functionality from the rest of the OS which helps to protect the VBS functionality from malware that may have infected the normal OS even with elevated privileges,” Microsoft says.

Secured-core PCs also come with Trusted Platform Module 2.0 (TPM), which measures the components used during secure launch, thus helping customers enable zero trust networks with System Guard runtime attestation.

The capabilities of Secured-core PCs should be complemented with a defense-in-depth approach that includes security review of code, automatic updates, and attack surface reduction.

Additional information on devices that are verified Secured-core PCs, such as those from Dell, Dynabook, HP, Lenovo, Panasonic, and Surface, can be found on this page.

Related: CrowdStrike Endpoint Security Platform Now Detects Firmware Attacks

Related: New Firmware Flaws Resurrect Cold Boot Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...