Microsoft Invests in Securing Device Firmware

Microsoft is working with PC manufacturing and silicon partners to design devices with a more secure firmware layer.

The initiative aims to combat threats that are specifically targeting the firmware and operating system levels with the help of Secured-core PCs, devices that apply security best practices to firmware.

These devices, the technology giant explains, have been designed for industries such as financial services, government, and healthcare, as well as for those workers who handle highly-sensitive IP, customer or personal data.

Such data is of high value to nation-state attackers, and the Russian-linked hacking group Strontium has already been observed using firmware vulnerabilities in their attacks, thus making the malicious code hard to detect and difficult to remove.

The firmware, which initializes the hardware and other software on the device, has a higher level of access and privilege compared to the hypervisor and operating system kernel.

“Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised,” Microsoft notes.

On top of that, endpoint protection and detection solutions have limited visibility into the firmware, which makes evasion easier for attackers targeting this layer.

Secured-core PCs, the tech giant claims, can prevent such attacks because they combine identity, virtualization, operating system, hardware, and firmware protection. Thus, devices can boot securely and are protected from firmware vulnerabilities, and both the operating system and data are protected.

Furthermore, SecOps and IT admins can leverage the built-in mechanism to remotely monitor system health and implement a zero-trust network rooted in hardware.

The first step Microsoft took to secure firmware was the introduction of Secure Boot in Windows 8, to mitigate risks such as bootloaders and rootkits. However, Secure Boot can’t protect from threats targeting vulnerabilities in the trusted firmware.

“Using new hardware capabilities from AMD, Intel, and Qualcomm, Windows 10 now implements System Guard Secure Launch as a key Secured-core PC device requirement to protect the boot process from firmware attacks,” Microsoft explains.

System Guard leverages Dynamic Root of Trust for Measurement (DRTM) capabilities found in the latest silicon from AMD, Intel, and Qualcomm to ensure the system re-initializes into a trusted state, limiting the trust assigned to firmware and delivering mitigation against threats targeting it.

The capability also aims to protect the integrity of the virtualization-based security (VBS) functionality of the hypervisor from firmware compromise.

“VBS then relies on the hypervisor to isolate sensitive functionality from the rest of the OS which helps to protect the VBS functionality from malware that may have infected the normal OS even with elevated privileges,” Microsoft says.

Secured-core PCs also come with Trusted Platform Module 2.0 (TPM), which measures the components used during secure launch, thus helping customers enable zero trust networks with System Guard runtime attestation.

The capabilities of Secured-core PCs should be complemented with a defense-in-depth approach that includes security review of code, automatic updates, and attack surface reduction.

Additional information on devices that are verified Secured-core PCs, such as those from Dell, Dynabook, HP, Lenovo, Panasonic, and Surface, can be found on this page.

Related: CrowdStrike Endpoint Security Platform Now Detects Firmware Attacks

Related: New Firmware Flaws Resurrect Cold Boot Attacks