Intel, AMD and Qualcomm will use the Microsoft-designed Pluton security processor from Xbox One and Azure Sphere in future SoCs to deliver better protection than a TPM.
When Microsoft built Azure Sphere as a secure and updateable IoT device platform, it used what it had learned securing Xbox game consoles against users who were prepared to glitch and solder their own devices in an attempt to run pirated games.
The Pluton security processor built for Xbox One and incorporated in Azure Sphere has been tested by attackers trying to produce modchips for Xbox, and by hackers trying to get paid in the Azure Sphere bug bounty program. NXP already built Pluton into one of its application processors for industrial IoT devices, and now the next generation of Pluton will be on the CPU die in future processors from Intel, AMD and Qualcomm.
SEE: Identity theft protection policy (TechRepublic Premium)
“In a nutshell, Microsoft is handing over a processor design, with the firmware, to our three biggest silicon providers for the PC ecosystem. And we think this is really going to raise the fundamental security bar almost immediately, both for consumers and enterprises. This is something across the board that is just going to be part and parcel of our products, and really push us forward into the next years in terms of what security looks like,” Microsoft’s partner director of enterprise and OS security David Weston told TechRepublic.
Protecting the protection
Most PCs already have a security processor: the Trusted Platform Module (TPM) stores cryptographic keys and measurements used to verify the integrity of the OS in hardware and handles security features like BitLocker, System Guard and Windows Hello. Sometimes the TPM is a separate module entirely, sometimes it’s integrated with the CPU and GPU in an SoC, but not being on the same silicon as the CPU means there’s a connection to attack, Weston said.
“We are putting this processor on die; so essentially we have a processor design that’s being added into Intel and AMD silicon. Today when I add a TPM to a PC, I first select my CPU and then as the manufacturer, as an afterthought, I go buy a security processor and connect it with the bus. The challenge with that approach is the bus is an attack surface; while you’re sending secrets and keys back and forth from the CPU complex out to this discrete chip, someone can glitch the bus, they can sniff the bus, there’s numerous things [they can do].”
Once the bus between the TPM and the CPU has been compromised, encryption keys can be exposed, and the measurements used for secure boot can no longer be relied on.
Those are attacks that Xbox has had to defend against for years, which is where the idea of Pluton started. Not only is Xbox a vertical device where Microsoft produces both the OS and hardware, including a custom processor that it could have AMD add a security processor to, but it’s also unusual because the person attacking an Xbox might be not an external threat but the owner — who has full access to the hardware and an incentive to load code that hasn’t been signed by Microsoft.
“Xbox, is the only Microsoft product we’ve ever produced where the user is outside of the trust and threat model,” Weston said. “Essentially in the Xbox world, the user could be incentivized to do hardware attacks on their own device for the purposes of playing games.” That includes kits that guide the user thorough drilling into a sealed package on the motherboard to reflash the firmware on the DSP that controls the optical drive so they could load game DVDs that are copies rather than original discs (known as the ‘kamikaze hack’) and ‘mod chips’.
“A mod chip is a specialised FPGA that will send voltage glitching at just the right time to skip the security instruction [and load unsigned code]”, Weston explained. “It’s the definition of consistent physical attack. And what we did with the Xbox One is we came up with a new concept: the best way to stop physical attacks is to not trust anything outside of the SoC and draw the trust boundary around that.”
What Pluton does
On Windows the attacks are a little different from Xbox, and Microsoft isn’t putting Pluton into PCs to stop users choosing what software or OS to run. On Xbox and Azure Sphere, Pluton also protects against malware (and bugs in the OS or firmware that malware takes advantage of).
“This is about raising the bar for the PC hardware platform, and you will be able to run Linux on this without issues,” Weston promised. “This is about all segments of users. We’re working with these silicon providers that have interests beyond Windows and we’re cool with that so everything we can do to support this, we will.”
Windows will store encryption keys for credentials, user identities, encryption keys and personal data in Pluton, where it’s safe from speculative execution attacks. What Microsoft calls Secure Hardware Cryptography Key (SHACK) technology means keys are never exposed, even to the Pluton firmware.
“In a nutshell, SHACK is the ability to generate keys and derivative keys inside of the security processor in a way that’s never exportable,” said Weston. “Traditionally, when you’re doing keys and derivative keys, you may have to exchange those in the operating system where they can be in memory, and if they’re in memory that’s where Mimikatz and other stuff can get to them. SHACK is an innovative way to do key derivation and key generation — not in firmware, but actually in the logic of the processor. And as a result, not only do they go through the extreme verifications and analysis that is intrinsic to silicon, but they just simply cannot leave that SoC, which means you are limited to physical attack.”
Moving the security processor onto the same silicon as the CPU makes those hardware attacks much harder for hackers, Weston said. “It’s incredibly hard to do physical fault injection attacks inside of the CPU die. With the latest-generation processor you’re talking about seven to 14 nanometre [dies]; you need super-specialised equipment and expertise and legions of EE PhDs to even begin to do that, versus attacking something on the bus from a discrete chip where I can buy a logic analyser on eBay and do that.”
That doesn’t mean that TPMs aren’t secure today, Weston stressed. “My job, and the job of my peers at the silicon providers, is to make sure that we are proactively removing that risk rather than doing it after it becomes a huge problem.”
Pluton will stop esoteric attacks that rely on opening a PC up and physically attaching wires, like using a logic analyser to sniff the BitLocker key. Security researchers have already devised attacks like that, which means that attackers will be doing the same.
“There are so many variations on that. You could choose to glitch measured boot. That obviously takes some expertise, but the tools and techniques are not out of reach for doing that kind of stuff and so having that go away is great,” Weston said.
Ubiquitous updateable security
We don’t know exactly which processors will have Pluton or when — it isn’t in any PCs yet, not even Microsoft’s own Surface line. Intel talks about ‘client CPUs in future platforms’, while AMD says ‘future AMD Client APUs and CPUs’. In some cases, Pluton will also sit alongside the security processors that Intel and AMD already offer (AMD’s is also based on its experience building Pluton into the Xbox One silicon). Vendors can choose to use the security capabilities of the Intel or AMD security processors in parallel with Pluton, or just use one or the other.
That might happen when a certification specifically requires a TPM, Weston explained. “You can turn off Pluton and go with a conventional TPM. There will be some RFPs that say, ‘to get onto this secret network you’ve got to have this’, and there are different geographies across the world where they have a specific security process that they expect. Pluton keeps its security capabilities, and it manages its own [capabilities] when it’s enabled, but it can definitely work in concert with other security processors or it can be turned off, and that choice is something we explicitly designed in.”
Pluton isn’t going to be a requirement for getting the Windows logo on a PC: “I believe we can prove to people that there’s so much value here, and that will resonate with the customers, and that’s a much better and healthier way to move an ecosystem,” Weston pointed out. And if the industry doesn’t respond to the carrot, corporate customers may ask for certifications and specifications that include it.
But Microsoft expects Pluton to be widely available, and that means PCs with it will all have the same level of protection, and they will all get automatic firmware updates for the security processor through Windows Update. Ironically, Weston notes, security processors don’t always have security updates applied — changing that could be one of the biggest benefits of Pluton.
“In the end, most security problems come from a lack of hygiene; you didn’t apply patches, you didn’t do the basic things. We are making the basic things incredibly simple. You update on Patch Tuesday, and we are updating your security processor. Today, with TPMs you’ve got to chase down your manufacturer and you’ve got to chase down the person who made the TPM — you have to do work, and as a result, we don’t see the patch levels of security processors nearly as high as they should be. And that’s a massive cause for concern,” he said.
“With Pluton, Microsoft security engineers are writing this, we’re going through the full security assurance lifecycle that you would expect from a Microsoft product. We’ve got a track record here with both Azure Sphere and with Xbox, and we are making this available on Patch Tuesday just like it was any other component in the operating system. So, if you have something like the ROCA issues [Return of Coppersmith’s Attack CVE-2017-15361] that impacted TPM some time ago, [we’ll be] able to issue an update that’s comprehensive to the ecosystem in one stroke.”
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
That’s something that Xbox or Apple can do that hasn’t been possible for Windows PCs before because the enormous variety of PC hardware makes it much harder to offer security improvements across such heterogeneous devices, Weston added.
“I think what makes the PC ecosystem unique over some of the competitive ecosystems is the choice: in the PC ecosystem, you can buy a gaming PC, you can buy a tiny two-in-one, you can buy a monster desktop that you built yourself. People come to the PC ecosystem because they can have a choice. The challenge with that is we want to support that choice, without fragmenting the security baseline.”
Having the same people build the security processor and use it in Windows has obvious benefits, says Weston. “My team is designed this processor and is building the firmware, and they are the ones that are going to be responsible for keeping it up to date. It’s also the same teams that are using it for Windows Hello and are using it for BitLocker. So, we’re going to get the reliability, the management that you would get in a verticalized ecosystem in the PC world. And so the more we can get folks on here, the more consistency of experience we can provide. That means fast Hello login times, that means less reliability issues, and so on.”
“You can imagine the myriad of challenges around verifying every possible configuration out there in this wild and exciting PC ecosystem. And really, I’m trying to capture all the value of verticalization, keeping that variety — because at the end of the day we know that’s what customers want and expect from this ecosystem: they want to buy all the different crazy variety of devices out there. What Pluton is doing, by making sure that the most important security ingredient in hardware is now ubiquitous and consistent, we are getting that feel of a verticalized ecosystem, where one vendor is controlling the operating system and hardware, but we are enabling the choice and incredible variety that exists in the PC ecosystem.”
That even applies to PCs you build yourself, where adding a TPM has been even more work. “Pluton is built in and not bolted on. Now it’s everywhere you get the CPU. I just built a couple of PCs where I had to order the TPM modules and find the right pin outs and things like that; having a next-generation security processor that’s just everywhere is obviously going to be a huge boon.”
Despite allegations about compromised hardware getting into the supply chain of vendors like Supermicro, none has ever been discovered. Still, Pluton could protect against supply chain attacks, Weston said. “Real or argued, I think we all agree it could happen, and so getting fewer parties in that supply chain, where it’s just Microsoft and our silicon provider — AMD, Intel or Qualcomm, means customers can trust this a lot more and we can reduce the number of things that we need to trust in boot.”
The future of Pluton
To start with, Pluton is doing the same as a TPM would today. “All the software using roots of trust today, whether it’s measured boot or key storage, are going to be using the TPM APIs, and we want to keep that going right with higher reliability,” Weston said.
Once those fundamental security pieces are more secure and more reliable, Pluton can also offer more features: “The fact that it’s a firmware CPU platform also means in the future we can do cool stuff there. In Pluton for Azure Sphere and Xbox One we already do all kinds of cool things that a TPM simply can’t today.”
On the Xbox One, Pluton has its own CPU, custom cryptographic engines and registers, random number generators, secure RAM and secure ROM to boot from, a bank of fuses to blow if it’s necessarily to permanently switch the device into debug or development mode (after which it can’t be used to play other games), and side channel monitors to monitor clock voltage and temperature.
All the other hardware is treated by the Xbox SoC as if it might have been compromised. Clock voltage, flash storage, PCIe, SATA drive connections and USB peripherals are all untrusted and protected by an IOMMU on the interface with the South Bridge on the motherboard. A custom memory controller that adds encryption and integrity checking to DRAM because neither memory nor the memory bus are trusted. There’s a dedicated hardware path inside the SoC from the streaming cryptographic engine to the hardware cryptographic engine that it uses to do high-speed cryptography and SHA hash verification of everything read from the optical or hard drive.
Windows PCs aren’t locked-down appliances like Xbox, and the threat model is different, so we don’t expect to see all of that. But Pluton could introduce, say, the kind of attestation of peripherals that Microsoft’s Project Cerberus hardware root of trust offers for servers in Azure.
“We’re not there yet,” Weston said, but he finds the Cerberus scenario — “testing all the peripherals and making sure that they are high integrity before the system boots” — ‘really interesting’. That would protect your PC from compromised peripherals and even from malicious hardware disguised as a normal cable.