Windows 11 and a Zero-Trust Core Part 1
Windows 11 and a Zero-Trust Core Part 1
Windows 11 Security Book in a Nutshell Part-1: Hardware Security
According to Microsoft, the need for modern security principles and end-to-end protection is as important as ever before and therefore Windows 11 was built on a principle of Zero-Trust. The Zero-Trust model reminds of the Presumption of Guilt within Law: a defendant is guilty until proven innocent. In computers, this would mean that no device or user can have access until security and integrity is proven. Microsoft has also improved baselines by raising the requirements for both hardware and software to ensure a baseline protection from “chip to cloud”.
Microsoft has implemented the Zero-Trust model based on a threefold principle:
- Verify explicitly: Days of implicit verification are over! Everything is authenticated and authorized based on all relevant facts including user identity, location, device health, workload and anomalies.
- Least Privilege Access: A well-known principle but effective, nevertheless. Users are limited to just-in-time and just-enough-access. A risk-based adaptive policy may be implemented.
- Assume breach: The ever so slightly pessimistic Approach. Assuming that a device is breached minimizes impact and segments access to resources. More visibility and analytics improve detection and defense
A so called “hardware root-of-trust” protects the system during the boot sequence which is a critical phase of operation. The verification of loaded firmware and operating system code during the boot sequence ensures that no malware can implant itself into the boot code and hide its presence.
Trusted Platform Module (TPM)
TPM in its latest version 2.0 brings important enhancements regarding cryptographic flexibility and Windows 11 mandates that new or upgraded devices must have a TPM 2.0, which strengthens the overall security posture across devices.
Pluton Security Processor
A rather new principle of chip security implemented by Microsoft and their silicon partners. The hardware root-of-trust is embedded into the same silicon substrate as the CPU which eliminates risks arising from separate discrete locations of chip and security hardware. One thing special about the Pluton Security Processor is the unique Secure Hardware Cryptography Key (SHACK) technology which helps ensure that keys are never exposed outside of the context of the protected hardware.
Silicon Assisted Security
Virtualization-based security (VBS) sometimes also referred to as core isolation, segments virtualized and operating system memory and thusly securing sensitive operating system functions that are user-authenticated. Malware accessing the main operating system kernel is greatly impacted by the VBS ability to prevent code execution or accessing secrets within a VBS secure environment.
Hypervisor-protected Code Integrity (HVCI) is utilized and uses VBS to run Kernel Mode Code Integrity (KMCI) within a secured VBS environment instead of running in the main Windows kernel. This directly protects drivers from direct kernel modifications. KMCI also checks that all kernel modules are signed and verifies their integrity. HVCI acts a whitelisting mechanism and ensures that only validated code can be run in kernel-mode. Windows 11 devices shall support HVCI and according to Microsoft most of the new devices will come with VBS and HVCI turned on by default.
Windows 11 Secured-core PCs
Microsoft addresses critical vulnerabilities emerging at the firmware and device core levels by cooperating with OEM partners in creating so-called Secured-core PCs. These PCs prevent malware attacks and firmware manipulation by launching a trusted state at startup with enhanced and enforced root of trust. All operating system code is verified and declared trustworthy only by approved authorities. This internal integration between Microsoft and OEM partners provides many benefits, among them powerful security capabilities across all layers: software, hardware, firmware and identity protection.
Memory Protection in Secured-core PCs
PCIe hot plug devices, for example Thunderbolt and USB4, expose computers to drive-by Direct Memory Access (DMA) attacks due to their USB-like behavior. Memory access protection, better known as Kernel DMA Protection, ensure that PCs are protected against those drive-by attacks by disallowing direct copy of memory whilst a PC is locked.
Firmware Protection in Secured-core PCs
Microsoft mentions well-known attacks such as “bootkits” and “rootkits” which rely on achieving persistence in the pre-boot process. To tackle those kinds of attacks, the Unified Extensible Firmware Interface (UEFI) Secure Boot standard is employed. Only authorized and signed firmware with trusted digital signatures is allowed execution. By saving all boot configurations securely in the TPM, a non-repudiable audit log of the boot is created and is referred to as Static Root of Trust for Measurement (SRTM). Maintaining a list of SRTM signatures across all OEMs becomes an impossible task, for either bad or good SRTM measurements. In secure-core PCs, Windows Defender System Guard Secure Launch compensates the need for such a list by employing Dynamic Root of Trust Measurement (DRTM). DRTM hooks in between boot and Windows launch which enables it to prevent resident malware that evaded UEFI Secure Boot from accessing secrets and critical code that is protected by the virtualization-based security environment. In addition, System Management Mode (SMM) is an additional layer that isolates and enforces policies and restriction on a higher effective privilege level than the hypervisor.
Many principles we find implemented into Windows 11 are state of the art but also some that have been around for a while and are not really ground breaking. The future of secure computing and a higher security posture is highly dependant on the efforts of chip, sofware and hardware manufacturers and their cooperation. Achieving the highest possible security posture is only possible through a well-thought integration of software, firmware and hardware and Microsoft is leading by example in cooperating with silicon partners and OEMs. The Windows 11 Security Book is a good example of how Microsoft is activley promoting security in operating systems and we will see more of the topics, such as Application and Cloud Security in the upcoming parts of this series.