Microsoft debuts hardware-rooted security for foiling firmware attacks

[Evanvincent]

Firmware is an attractive target

Attackers are always looking for new and easier ways to compromise target systems, as well as ways to keep that compromise concealed from the system owners for as long as possible.

“Firmware is used to initialize the hardware and other software on the device and has a higher level of access and privilege than the hypervisor and operating system kernel thereby making it an attractive target for attackers,” David Weston, MSFT Director of OS Security, explained.

“Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised. Compounding the problem is the fact that endpoint protection and detection solutions have limited visibility at the firmware layer given that they run underneath of the operating system, making evasion easier for attackers going after firmware.”


Protections implemented in Secured-core PCs
The new Secured-core PCs – developed and sold by Lenovo, Panasonic, Dell, HP, Dynabook and Microsoft – include protections against firmware and kernel attacks, as well as basic integrity protections such as Secure Boot (makes sure that a device boots using only software that is trusted by the OEM), Trusted Platform Module 2.0 (hardware-based, security-related functions) and BitLocker (drive encryption).

The firmware protections provided include System Guard Secure Launch and System Guard SMM protections.

“System Guard uses the Dynamic Root of Trust for Measurement (DRTM) capabilities that are built into the latest silicon from AMD, Intel, and Qualcomm to enable the system to leverage firmware to start the hardware and then shortly after re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path,” Weston explained.

This not only limits the trust assigned to firmware but also helps to protect the integrity of the virtualization-based security (VBS) functionality implemented by the hypervisor from firmware compromise.

“Protecting VBS is critical since it is used as a building block for important OS security capabilities like Windows Defender Credential Guard which protects against malware maliciously using OS credentials and Hypervisor-protected Code Integrity (HVCI) which ensures that a strict code integrity policy is enforced and that all kernel code is signed and verified,” he pointed out.

When Windows is running, System Guard SMM protections monitor and restrict the functionality of potentially dangerous firmware functionality accessible through System Management Mode (SMM).

Microsoft says Secured-core PCs are ideal for companies in the financial services, government and healthcare industries and, in general, for workers that handle data that’s attractive to nation-state attackers (sensitive company data, intellectual property, customer or personal data).

[Albert Davis]

Microsoft partnered with mainstream chip and computer makers to deliver hardware protection of firmware right out of the box: the so-called Secured-core PCs are aimed at foiling attackers who rely on exploiting firmware vulnerabilities to surreptitiously gain access to computer systems.

[Charliegrover]

Why Focus on Firmware?

These researchers are responding to the growing numbers of systems and embedded devices powered by insecure firmware. These devices can be lucrative targets and the cost of compromise is relatively low. Meanwhile, security and technology managers are already overworked just handling the basics: firewalls, endpoint security, intrusion prevention systems, access management, OS security; the list goes on. Solutions around firmware integrity monitoring are emerging, but many are not aware of the need.



Firmware: Easy to Pwn?
The security industry has made strides in making attacks on computers and servers more difficult; driving up the cost of attack by requiring advanced techniques to circumvent modern OS security mechanisms. Strong OS and hypervisor-level protections make systems less attractive targets, but not so much if the underlying firmware is left undefended.

There are a few fundamental reasons why firmware can make a realistic target:

(1) No upgrade path for firmware: In contrast to software, firmware can be more difficult to update. Update policies may not exist; indeed, the ability to update may not even exist. Add to this the resiliency of these systems—literally devices that may sit around for decades. Changes in security requirements (e.g., updated encryption algorithms) may not be reflected in updated firmware. Even unsophisticated attack techniques are highly likely to work across outdated security mechanisms.
(2) Traditional methods don’t apply or can be side-stepped: No matter how many layers of security are built into the OS, ultimately a system relies on the underlying firmware to boot and interact with hardware. Once firmware integrity is compromised, the other layers of protection may as well not exist. Attackers can bypass sophisticated security measures by directly targeting the firmware, which gets unfettered access to device functionality.
(3) Breaches are hard to detect: Traditional protection systems do not monitor firmware integrity.
The new Advanced Persistent Threat (APT): Once a breach is detected, it is difficult to remediate. Malware can be cleaned up with antivirus or sandboxed on most systems, but a firmware compromise can persist and hide malicious behavior for months and years. Compromised firmware can also allow OS-level attacks to recur even after normal remediation actions are implemented.

The Internet of Firmware

Traditionally, firmware is associated with the BIOS on a PC, but embedded devices (a.k.a. IoT) rely on firmware in several of their components. We are not used to thinking of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. And they are out there by the billions: Not just in newfangled “smart” kickstarter projects for the home, but in mission- and life-critical devices used in factories, power plants, medical equipment and point-of-sale systems.

[Evanvincent]

What does Firmware mean?
Firmware is a software program permanently etched into a hardware device such as a keyboards, hard drive, BIOS, or video cards. It is programmed to give permanent instructions to communicate with other devices and perform functions like basic input/output tasks. Firmware is typically stored in the flash ROM (read only memory) of a hardware device. It can be erased and rewritten.

Firmware was originally designed for high level software and could be changed without having to exchange the hardware for a newer device. Firmware also retains the basic instructions for hardware devices that make them operative. Without firmware, a hardware device would be non-functional.

[Albert Davis]

Firmware is programming that's written to a hardware device's nonvolatile memory. ... Firmware, which is added at the time of manufacturing, is used to run user programs on the device and can be thought of as the software that allows hardware to run.

Examples of firmware
Typical examples of devices containing firmware are embedded systems, consumer appliances, computers, computer peripherals, and others. Almost all electronic devices beyond the simplest contain some firmware. Firmware is held in non-volatile memory devices such as ROM, EPROM, or flash memory.

[Evanvincent]

NIKON Z6 AND Z7 RECEIVE FIRMWARE UPDATE, BRINGS RAW VIDEO CAPTURE AS A PAID UPGRADE


Firmware 2.0 enables CFexpress on Nikon Z6 and Z7

Raw video capture now available as a paid upgrade

Nikon launched the Z6 and Z7 fullframe mirrorless cameras back in 2018, and since then, the company has continued to focus on building a robust lens ecosystem. However, in the year since, Nikon has been slowly, but steadily pushing out firmware updates that continue to improve the performance of the cameras and the lenses. The latest update comes in two parts.

Firmware 2.20 for the Nikon Z6 and Z7 upgrade the XQD Card slot to be compatible with the new CFexpress memory card standard. The new CFexpress standard uses PCIe 3.0 lanes (up to 4 lanes) and enabled data transfer speeds of up to 1GB/s, per-lane. Firmware 2.20 enables the current XQD slot to now operate at the new, significantly faster speed, without needing any physical upgrade to the slot. The firmware can be downloaded from the Nikon Download Center.

The new CFexpress Type B cards use the same form-factor as an XQD card, making it a hassle-free experience for shooters. While the XQD card was originally developed by Sony, the Compact Flash Association had announced CFexpress as the successor to QXD in 2016. If you do update your Z6 or Z7 to the new firmware, do remember that you need to buy a card designated as CFexpress in order to take advantage of the new speeds.

The second firmware update offered by Nikon for the two full-frame mirrorless cameras is a paid one, which enables RAW Video capture. Users who want the ability to shoot RAW Video on their Nikon Z6 or Nikon Z7 will need to take their cameras in to a Nikon authorized service center and have them install the feature. Interestingly, Nikon is charging a Rs 15,000 upgrade fee for the feature. Additionally, if you do opt to get the upgrade, you will need an external recorder to actually shoot video in RAW. As of now, only the Atomos Ninja V is compatible with the Nikon Z6 and Nikon Z7 for RAW video capture. You can get both 4K UHD or 1080p 12-bit RAW video over HDMI to the external recorder.

[tracym]

To protect the server infrastructure with a hardware-based root of trust; To defend sensitive workloads against firmware-level attacks