Microsoft approved the Secured Core PC category with security technologies developed in conjunction with leading PC manufacturers and silicon chip vendors. These types of PCs are designed to thwart persistent malware attacks, especially those that target vulnerabilities outside the security ring level 0 control privileges (at the system kernel level), such as malware that affects the firmware that are far beyond the level of access of a normal user.
This is the definition that Microsoft has given, but what exactly are Secured Core PCs and how do they work? Let’s see it.
What is a Secured Core PC?
The hardware components of Secured Core PCs operate in a holistic amalgamated structure to ensure the integrity of the system firmware, hardware, and even its software. Machines are particularly important for organizations such as companies, banks, hospitals, and state institutions that regularly handle sensitive data.
In particular, these PCs are shipped with protections enabled in such a way that only an engineer specialized in the specific chips will be able to disable them. Microsoft has collaborated with manufacturers such as Intel, AMD, and Qualcomm to develop dedicated CPU chips to run integrity checks, and once integrated into the motherboard these chips handle security protocols that generally only rely on firmware.
The verification process involves the authentication of cryptographic hashes to maintain the integrity of the code, which is why specialized chips are necessarily used, so that they do not consume resources of the main CPU of the system and, therefore, that there is no impact negative on performance.
How Do Secure Core PCs Work?
Secure core PCs are designed to authenticate all operations involved during and after the boot process; Because the system credentials are isolated and locked to protect the cryptographic hashes, malware trying to take over critical system protocols will not be able to recover the authentication tokens in any way and therefore it is impossible for it to take effect. .
This level of security is made possible by Windows HyperVisor Code Integrity (HVCI) and Virtualization Based Security (VBS, but not to be confused with Visual Basic Script used by Windows). HVCI operates under VBS and works to improve code integrity so that only verified processes can run through the system’s kernel memory. This level of security is at the lowest level and therefore takes precedence over any software and even hardware.
VBS uses hardware-based virtualization to isolate secure memory sectors from the operating system. Through VBS it is possible to isolate vital security processes to prevent them from being compromised, and this is important when it comes to limiting or avoiding damage, as there are many malware that directly attack highly privileged system components.
Additionally, Secured Core PCs use Microsoft’s Virtual Safe Mode (VSM); This works to protect crucial data such as user credentials within Windows, and this means that in the rare event that malware compromises the system kernel, it will under no circumstances be able to access system credentials and is therefore limited enormously the damage it can cause.
VSM can create new security zones within the operating system during such instances and maintain isolation through Virtual Trust Levels (VTL) that operate at the system partition level. On Secured Core PCs, VSM hosts security deterrence solutions such as Credential Guard, Devide Guard, and virtual Trusted Platform Module (TPM).
Access to these highly hardened VSM sectors is granted only by the system administrator, who also controls the processor in the Memory Management Unit (MMU) and the Input / Output Memory Management Unit (IOMMU) that participate in the start. That said, Microsoft already has significant experience in creating hardware-based security solutions, and their Xbox consoles bear witness to that.
Microsoft’s current secure core partners include manufacturers such as Dell, Lenovo Dynabook, HP, Getac, Fujitsu, Acer, Asus, Panasonic and the company’s Microsoft Surface segment that is dedicated to computers designed for professionals.
Additional safeguards against malware
While Secured Core PCs have extensive hardware-based security enhancements, they also require a wide variety of software-based support systems in order to provide comprehensive protection. They function as the first line of security defense during a malware attack, but there is obviously no definition of ‘unhackable’, so they need some ‘help’ from the software.
A primary software-based deterrent is Windows Defender, which implements System Guard Secure Launch; Available for the first time in Windows 10, it uses the Dynamic Root of Trust for Measurement (DRTM) protocol to initiate boot processes in unverified code at startup. Soon after, it takes over all processes and restores them to a trusted state, helping to avoid startup problems if the UEFI code has been tampered with but maintains its integrity.
For a completely safe boot, Windows 10 comes with S mode which is designed to improve CPU performance and security. While in that mode, Windows can only load digitally signed applications from the Windows Store, and Internet browsing is limited to Microsoft Edge; It is an extremely restrictive mode, but it is the only way to guarantee maximum security, which is especially important if you think your computer may be infected by malware.