There are lots of ways to hack a PC. You can exploit software vulnerabilities. You can put malware on a USB drive and drop it in a parking lot for some unsuspecting office worker to pick up and plug in. Or you can turn an operating system’s features against itself, strategically manipulating them to gain control. But an expanding threat now has Microsoft rethinking some of its most foundational PC defenses.
Today the company is announcing a new hardware and system architecture feature known as secured-core PC, aimed at addressing attacks against firmware, the foundational code that coordinates hardware and software. Firmware has long been a hacker target, in part because it’s typically written by hardware manufacturers rather than operating system developers, and frequently lacks basic protections. Windows runs atop all different types of firmware across the assorted PCs it’s installed on, each of which offers varying quality and security. So Microsoft has a new scheme that rearchitects how Windows PCs boot up to catch malicious firmware manipulations before they give attackers keys to the kingdom.
“A lot of badness happens if your firmware goes wonky. Our internal red team and external folks have really turned their eyes to this,” says David Weston, director of operating system security at Microsoft. “Firmware runs at a privileged level. It’s the thing that boots up the machine—it plays a critical role. Yet firmware is not integrated into update systems like Windows Updates, and for enterprises their visibility into firmware is generally relatively limited. So it’s highly privileged and there’s lots of opportunities for bugs.”
When you’re booting up a computer, you want the system to confirm that it’s running genuine software and that the operating system hasn’t been compromised. Microsoft already offers Windows Secure Boot, a feature that checks for cryptographic signatures to confirm software integrity. But those defenses rely on trusting the firmware to scope everything else out. “When the PC starts, the firmware checks the signature of each piece of boot software,” Microsoft explains of Secure Boot. But what if the firmware is lying?
Core Competence
The idea of secured-core PC is to take firmware out of that equation, eliminating it as a link in the chain that determines what’s trustworthy on a system. Instead of relying on firmware, Microsoft has worked with AMD, Intel, and Qualcomm to make new central processing unit chips that can run integrity checks during boot in a controlled, cryptographically verified way. Only the chip manufacturers will hold the encryption keys to broker these checks, and they’re burned onto the chips during manufacturing rather than interacting with the firmware’s amorphous, often unreliable code layer.
“It’s rooted in the CPU and no longer in the firmware, because it still boots early,” Weston says. “But if there’s anything tampered with, the system code would identify this and shut everything down. So we’re taking firmware and any potential compromise out of the circle of trust.”
Microsoft already does something similar in Xbox, which is known to be a particularly secure ecosystem. And Cisco uses a type of chip called a Field Programmable Gate Array to implement its secure boot instead of firmware. In newer iPhones, Apple also uses special hardware checks set up in its custom-built, ARM-based chips to catch any funny business as soon as the processor gets power. But in all of those situations, the same company oversees development of both hardware and software, making those integrations more practical. With Windows, Microsoft can coordinate with chipmakers, it but doesn’t manufacture the devices the operating system will ultimately run on.