Secured-core PCs are a class of computers designed to thwart persistent malware attacks, especially those that target vulnerabilities outside of protection Ring 0 control privileges such as firmware malware. The privileges are beyond what a regular user would access.
Microsoft has sanctioned this category of PCs with security technologies developed in conjunction with major PC manufacturers and silicon-chip vendors. So what exactly are secured-core PCs? And why might big businesses use one?
Why Are Secured-Core PCs So Secure?
Components on secured-core PCs work in a holistic amalgamated structure to ensure firmware, hardware, and software integrity. The machines are particularly important for organizations such as businesses, banks, hospitals, and state institutions that regularly handle sensitive data.
Notably, they are shipped with enabled protections that can only be switched off by authorized specialists from the respective chip vendors.
Microsoft has collaborated with chip manufacturers such as Intel, AMD, and Qualcomm to develop CPU chips dedicated to running integrity checks for secured-core PCs. Once embedded in the motherboard, the chips handle security protocols that typically rely on firmware.
The verification process entails authenticating cryptographic hashes to uphold code integrity.
How Secured-Core PCs Deter Firmware Malware
Secured-core PCs are designed to authenticate all operations involved during and after the boot process. Because their system credentials are isolated and locked to secure cryptographic hashes, malware attempting to take over critical system protocols is unable to retrieve authentication tokens.
This level of security is made possible through Windows HyperVisor Code Integrity (HVCI) and Virtualization-Based security (VBS). HVCI operates under VBS and works to enhance code integrity so that only verified processes are executed via kernel memory.
VBS utilizes hardware-based virtualization to isolate secure memory sectors from the operating system. Through VBS, it is possible to seclude vital security processes to prevent them from being compromised. This is important when trying to limit damage, especially when dealing with malware that targets high-privilege system components.
Additionally, secured-core PCs utilize Microsoft’s Virtual Secure Mode (VSM). This works to protect crucial data such as user credentials within Windows. This means that in the rare event that malware compromises the system kernel, the damage is limited.
VSM can create new security zones within the operating system during such instances and maintain isolation through Virtual Trust Levels (VTLs), which work on a per-partition level.
In secured-core PCs, VSM hosts security deterrence solutions such as Credential Guard, Device Guard, and virtual Trusted Platform Module (TPM).
Access to these highly fortified VSM sectors is granted solely by the system manager, which also controls the Memory Management Unit (MMU) processor as well as the Input–output memory management unit (IOMMU), which is involved in booting.
That said, Microsoft already has significant experience creating hardware-based security solutions; the Xbox bulwark bears testimony to this.
Current Microsoft secured-core partners include Dell, Dynabook, Lenovo, HP, Getac, Fujitsu, Acer, Asus, Panasonic, and the company’s very own Microsoft Surface segment that deals in personal computers.
Additional Secured-Core PC Safeguards
While secured-core PCs have extensive hardware-based security reinforcements, they also require a motley of software-based security auxiliaries. They function as the first line of defense during a malware attack.
One chief software-based deterrent is Windows Defender, which implements System Guard Secure Launch. First made available in Windows 10, it uses Dynamic Root of Trust for Measurement (DRTM) protocol to launch boot processes into unverified code when starting.
Soon after, it takes hold of all processes and restores them to a trusted state. This helps to prevent booting issues if UEFI code has been tampered with and upholds code integrity.
For absolute secure booting, Windows 10 comes with S mode, which is designed to enhance security and CPU performance. While in this mode, Windows can only load signed apps from Microsoft Store. Browsing while in this state is limited to using Microsoft Edge.
Secured-core PC users can also enhance PC security by using Windows Defender Application Control (WDAC) to limit the drivers that are allowed to run on Windows 10. The feature implements driver and software policies allowing only trusted apps to operate.
Windows Hello is another feature needed to enhance security in secured-core PCs. It uses facial recognition, PIN, and fingerprint unlock capabilities to strengthen login security.
Windows Hello relies on specialized biometrics hardware that includes a fingerprint reader and infrared sensors. The hardware utilizes Trusted Platform Module (TPM) technology to safeguard credentials.
Why Microsoft Decided to Develop Secured-Core PCs
Microsoft has invested a significant amount of money in the research and development of secured-core PCs. The following are some of the reasons why the company prioritized the security project.
The Need to Protect Businesses Against Firmware Malware
Cybersecurity threats are evolving, and according to a Microsoft report, attacks are getting more sophisticated. It highlights findings of a study undertaken in 2021 and reveals that over 80 percent of businesses in the developed world have experienced a firmware attack over the previous two years.
This means that many businesses across the world are vulnerable to exploit schemes leveraging firmware malware.
Firmware exploits are very hard to detect and remove once they get hold of a system. Moreover, most computers share the same BIOS code, and so firmware loopholes uncovered by hacker groups can be leveraged against millions of computers worldwide regardless of their make or vendors, hence the need for secured-core PCs.
Secured-Core PCs Solve Peripheral Firmware Issues
Devices with unsigned firmware pose major security issues in standard PCs. Peripherals such as webcams are notorious for running anomalous firmware that can be used to spy on users. Their drivers can also be updated without client consent, thereby increasing the risks of this happening.
The lack of harmonized industry security standards is among the primary reasons why hackers target them during intrusion attacks. Presently, vulnerable devices include touchpads, Wi-Fi adapters, webcams, and USB hubs. Most of them lack cryptographic hashing and firmware verification, which are used in secured-core PCs.
The difficulty in harmonizing their security infrastructure means that the loophole is likely to remain open for many years. Currently, secured-core PCs are the best option for organizations looking to avoid such security gaps.
Microsoft Working on More Firmware Security Solutions
While Microsoft has created secured-core PCs to thwart firmware malware, it is also working on tools to help taper the attacks in standard computers. Its recent acquisition of ReFirm Labs, the Binwalk open-source firmware integrity scanner developer, is a step in this direction.
It is expected that more related solutions will be developed by the tech giant in the near future.