Microsoft announced its new ‘Pluton’ security processor, a ‘chip-to-cloud’ security technology designed to protect key areas of computers that currently can’t be reached by traditional hardware and software protection methods.
The Redmond, Washington-based company collaborated with silicon partners, including AMD, Intel and Qualcomm on the Pluton security processor. Microsoft says Pluton was pioneered in Xbox and the Azure Sphere. Microsoft explained that enhancements in Windows 10 have made things more difficult for attackers. As such, attackers have changed targets and now focus on the seams between hardware and software, which can’t be monitored for breaches using traditional tools like anti-virus software.
Microsoft says that the Pluton security processor will make it significantly more difficult for attackers to “hide beneath the operating system” by exploiting the seams between hardware and software. Further, Pluton will improve the company’s ability to guard against physical attacks, prevent credential and encryption key theft and improve recovery from software bugs.
Pluton builds security directly into the CPU, reducing physical attack vectors
To understand the benefit of Pluton, it helps to know where PC security is coming from. Currently, many PCs maintain OS security with a chip separate from the CPU called the ‘Trusted Platform Module’ (TPM). TPMs are hardware components used to securely store keys and other security measures that can verify the integrity of the system. Windows has supported TPMs for over a decade, and that they power critical tech like Windows Hello and BitLocker.
Microsoft says that the effectiveness of TPMs have made them a target for attackers. For example, attackers can target the communication channel between the CPU and TPM (typically a bus interface). These channels allow the CPU and TPM to share information, but some physical attacks could allow a malicious actor to steal or modify information in transit between the security chip and processor.
The new Pluton security chip removes the vulnerability of the communication channel by building security directly into the CPU. Microsoft says that Windows PCs using the new Pluton architecture will first emulate a TPM that works with existing TPM specs and APIs. This allows customers to immediately benefit from Windows features that rely on TPMs. Further, it means that devices with Pluton will use the security processor to protect credentials, user identities, encryption keys and personal data. Microsoft claims that none of this information can be removed from Pluton, regardless if an attacker installs malware or gains physical access to a PC.
By storing sensitive data within the Pluton processor, it prevents emerging attack techniques like speculative execution from accessing key material. Additionally, Pluton provides the unique ‘Secure Hardware Cryptography Key’ (SHACK) technology, which makes sure that keys are never exposed outside the protected hardware, even to the Pluton firmware itself.
Pluton improves the security firmware update process
Another benefit of Pluton is that it can streamline the system firmware update process. Currently, customers can receive security firmware updates from a variety of different sources, which can be difficult to manage and lead to wide-spread patching issues. Pluton, however, offers a flexible and easy-to-update platform that’s authored, maintained and updated by Microsoft. Plus, Pluton will integrate with the Windows Update process similar to how Azure Sphere Security Service connects to IoT devices.
Microsoft says it introduced the Pluton design on the Xbox One console in 2013 as part of its integrated hardware and OS security capabilities. The company says it’s taken what it learned about mitigating attacks with hardware to deliver its Pluton chip-to-cloud security vision to future Windows PCs. Those interested in learning more about how Pluton works can check out this talk from Microsoft BlueHat, which goes over the chip worked in the Xbox One.
Pluton will provide next-gen hardware security protection to Windows PCs and will be integrated in future chips from AMD, Intel and Qualcomm. It’s not clear when these new chips will be available, however. For those who build their own PCs, or those who prefer Linux, this announcement shouldn’t cause any worry. For PC builders, Pluton should make things easier by eliminating the need to search for motherboards with TPMs as Pluton will already be available in the CPU. Plus, Microsoft already uses Pluton on Linux through its Azure Sphere devices — there aren’t any details about Linux support for Pluton yet, but it will likely become available when CPUs with Pluton begin shipping.