|
|
|
@ -1,7 +1,7 @@
|
|
|
|
---
|
|
|
|
---
|
|
|
|
author: paolomatarazzo
|
|
|
|
author: paolomatarazzo
|
|
|
|
ms.author: paoloma
|
|
|
|
ms.author: paoloma
|
|
|
|
ms.date: 09/18/2023
|
|
|
|
ms.date: 04/09/2024
|
|
|
|
ms.topic: include
|
|
|
|
ms.topic: include
|
|
|
|
---
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
@ -20,9 +20,7 @@ implements virtual trust level 1 (VTL1), which has higher privilege than the vir
|
|
|
|
|
|
|
|
|
|
|
|
Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
|
|
|
|
Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
|
|
|
|
|
|
|
|
|
|
|
|
Learn more:
|
|
|
|
Learn more: [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
|
|
|
|
|
|
|
|
|
|
|
|
- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
|
|
|
|
Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
|
|
|
|
|
|
|
|
|
|
|
|
@ -30,7 +28,7 @@ With new installs of Windows 11, OS support for VBS and HVCI is turned on by def
|
|
|
|
|
|
|
|
|
|
|
|
Learn more:
|
|
|
|
Learn more:
|
|
|
|
|
|
|
|
|
|
|
|
- Enable memory integrity
|
|
|
|
- [Enable virtualization-based protection of code integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
|
|
|
|
- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
|
|
|
|
- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
|
|
|
|
|
|
|
|
|
|
|
|
### Hardware-enforced stack protection
|
|
|
|
### Hardware-enforced stack protection
|
|
|
|
@ -41,15 +39,14 @@ Application code includes a program processing stack that hackers seek to corrup
|
|
|
|
|
|
|
|
|
|
|
|
Learn more:
|
|
|
|
Learn more:
|
|
|
|
|
|
|
|
|
|
|
|
- [Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
|
|
|
|
- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
|
|
|
|
|
|
|
|
- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
|
|
|
|
|
|
|
|
|
|
|
|
### Kernel Direct Memory Access (DMA) protection
|
|
|
|
### Kernel Direct Memory Access (DMA) protection
|
|
|
|
|
|
|
|
|
|
|
|
Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
|
|
|
|
Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
|
|
|
|
|
|
|
|
|
|
|
|
Learn more:
|
|
|
|
Learn more: [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
|
|
|
|
|
|
|
|
|
|
|
|
- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Secured-core PC
|
|
|
|
### Secured-core PC
|
|
|
|
|
|
|
|
|
|
|
|
@ -61,18 +58,19 @@ Secured-core PCs provide multiple layers of robust protection against hardware a
|
|
|
|
|
|
|
|
|
|
|
|
Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
|
|
|
|
Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
|
|
|
|
|
|
|
|
|
|
|
|
In Secured-core PCs, System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices such as Microsoft Surface.
|
|
|
|
In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
|
|
|
|
|
|
|
|
|
|
|
|
System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies
|
|
|
|
System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
|
|
|
|
that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
:::image type="content" source="..\images\architecture.png" alt-text="aas" lightbox="..\architecture.png" border="false":::
|
|
|
|
:::image type="content" source="..\images\architecture.png" alt-text="aas" lightbox="..\architecture.png" border="false":::
|
|
|
|
|
|
|
|
|
|
|
|
Learn more:
|
|
|
|
Learn more:
|
|
|
|
|
|
|
|
|
|
|
|
- Dynamic Root of Trust measure and SMM isolation
|
|
|
|
- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
|
|
|
|
- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
|
|
|
|
- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
|
|
|
|
|
|
|
|
|
|
|
|
### Secured-core configuration lock
|
|
|
|
### Secured-core configuration lock
|
|
|
|
|
|
|
|
|
|
|
|
In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
|
|
|
|
In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Learn more: [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
|
|
|
|
|
Paolo Matarazzo