Microsoft has introduced its new Pluton security processor in collaboration with leading chipmakers to bring more security advancements to Windows PCs and other Microsoft devices.
Microsoft Pluton leverages chip-to-cloud security technology already used in Xbox and Azure Sphere to bring enhanced cybersecurity tools to future Windows PCs. This is a collaboration with some of the largest chipmakers, including AMD, Intel and Qualcomm.
The security chip will built into future CPUs and replace the Trusted Platform Module (TPM), a hardware component used to help securely store keys and measurements that verify the integrity of the system.
David Weston, Microsoft’s director of enterprise and OS security, wrote in a blog post that TPMs power many critical technologies like Windows Hello and Bitlocker, but attackers are finding ways to attack them.
“Given the effectiveness of the TPM at performing critical security tasks, attackers have begun to innovate ways to attack it, particularly in situations where an attacker can steal or temporarily gain physical access to a PC,” Weston writes.
“These sophisticated attack techniques target the communication channel between the CPU and TPM, which is typically a bus interface. This bus interface provides the ability to share information between the main CPU and security processor, but it also provides an opportunity for attackers to steal or modify information in-transit using a physical attack.”
The design of Microsoft Pluton removes the potential for that kind of attack by building security directly into the CPU, according to Weston.
Windows PCs using the Pluton design will first emulate a TPM that works with existing TPM specifications and APIs, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs like Bitlocker and System Guard.
Devices with Pluton will use the processor to protect credentials, user identities, encryption keys and personal data.
That information can’t be removed from the chip even if an attacker is able to install malware or has physical possession of the PC because sensitive data like encryption keys are stored security within the Pluton processor, isolated from the rest of the system.
That helps to prevent against emerging attack techniques, like speculative execution, Weston writes.
Another major plus with Pluton is that it keeps the system firmware up to date across the entire PC ecosystem, Weston says.
Today customers receive updates to their security firmware from a variety of different sources than can be difficult to manage, resulting in widespread patching issues,” Weston says.
“Pluton provides a flexible, updateable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices.”
The Pluton design was first introduced as part of the integrated hardware and OS security with the Xbox One console in 2013 when Microsoft and chipmaker AMD teamed up. That helped guard against physical attacks, prevent the discovery of keys and provide the ability to recover from software bugs, Weston says.
“With the effectiveness of the initial Pluton design we’ve learned a lot about how to use hardware to mitigate a range of physical attacks,” Weston writes. “Now, we are taking what we learned from this to deliver on a chip-to-cloud security vision to bring even more security innovation to the future of Windows PCs.”