Helping Windows 11 fight the hackers

Sponsored Feature When Windows 11 launched in October 2021, one of its big selling points was a new security architecture. Microsoft designed it from the ground up with zero-trust principles in mind, refusing to trust the legitimacy of any single system component. Instead, everything must prove that it has not been compromised.

Protecting a system this way is a difficult job. It requires components to prove their legitimacy using means beyond the scope of attackers. That's why hardware security has become top-of-mind for Intel. The company has been working with Microsoft for years, building protections directly into its hardware via its Intel vPro® platform eatures that integrate directly with the operating system.

The need for hardware security

Attackers and cybersecurity defenders are in an Inception-like race. As defenders protect the upper layers of the stack, attackers race to compromise the system at lower levels. They target elements that operate before the OS begins running, such as the boot loader and the firmware - the persistent code that runs on the system's BIOS or UEFI. Rootkits that can install themselves to interfere with the system at this level can persist, owning the operating system before it even loads.

The other hardware-based risk is supply chain tampering. A complex web of global companies collaborate indirectly to get a PC onto a retailer's shelf. Microsoft has detailed the risk, describing how attackers at any stage of the chain can inject malicious code into hardware components. Like rootkits, these attacks are expensive to mount but difficult to detect, making them ideal for well-funded nation-state actors.

The key to protecting the system against low-level attacks like these is to marry OS-based protections with hardware-based security measures. The more airtight this integration, the less vulnerable you leave the system to compromise. Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's device-centric Client Computing Group explains that this is an ongoing process.

"We work many years ahead with OEM customers and key partners like Microsoft to shape the solutions that we want to build in terms of their performance and security characteristics," he explains. For Windows 11, Microsoft and Intel had worked for over five years on the features that would support Windows 11's secure by default objectives, for example.

Protecting systems through secure hardware

Collaborating closely with Microsoft enables Intel to protect users in at least two ways. The first sees it remove implicit trust in low-level system components, replacing it with proof that their code has not been tampered with. It does this by driving the storage of digital credentials further down the stack into the heart of the chip itself.

Second, Intel has used hardware-based acceleration to support complex, compute-intensive cybersecurity controls that simply wouldn't have been workable before.

"If these features did not perform well and got in the way of productivity, nobody would want to turn them on. It's viewed as a tax," says Venkateswaran. They must work unobtrusively if they are to work at all. "You cannot solve some of these problems in an adequate way and get the right kind of performance and security characteristics if you just try to do this in software."

The Intel vPro architecture includes a set of features in Intel chips that offer hardware assistance in areas including remote management and security. These hardware-based protection measures all sit under an umbrella concept called Intel® Hardware Shield. The Intel Hardware Shield and remote management tech map to the five levels of device operation outlined in the Windows 11 Security eBook: the computer's processor hardware, the operating system, applications, identity and privacy, and the cloud. Together, they provide a chain of trust that begins before the PC even boots and protect the system against software-based toxins by operating at a lower level than attackers can.

Evolution of security features

Thanks to hardware assistance, Venkateswaran explains that many of the Hardware Shield features that used to be turned off by default in Windows are now turned on out of the box. A study by IOActive said that this has enabled the company to reduce the attack surface in the average Windows PC by up to 70 percent compared to systems created four years prior.

One protection now turned on by default starting in Windows 11 is Hypervisor-protected code integrity (HVCI, or memory integrity). This feature runs a kernel-mode integrity check inside a virtual machine (VM) instead of the main Windows kernel, to ensure that all kernel code in the guest is properly signed. Intel supports features like this with mode-based execution control (MBEC). This hardware-assisted tool enables hypervisors to enforce kernel code integrity via finer-grained control of page execution using user and supervisor permissions.

Virtualization protections from Intel extend up the stack, starting with chip-level protections like its VT-x architecture. Intel® Total Memory Encryption and Intel® Total Memory Encryption – Multi-Key extends security by using hardware-enforced encryption to protect memory content between different virtual machines. Protecting independently isolated workspaces helps address the sweet spot of performance vs security, says Intel.

Hardware-assisted virtualization security also helps to harden systems and reduce the attack surface at the operating system and application level. Here, Intel applies Intel Virtualization Technology for Directed I/O (VT-d). This offers kernel-level protection for direct memory access (DMA). DMA involves reading and writing to system memory without using the processor, which means that multiple VMs and containers can directly access I/O devices. VT-D protects devices from unauthorized direct-memory access, effectively isolating VM workloads from malware in the main operating system.

Protecting the system from power-on

Intel and Microsoft wove their research together to create a system that enables endpoints to boot securely. It combines several Hardware Shield features to create a secure chain of trust that monitors and checks the integrity of the boot process at all steps.

This security begins with Intel® Boot Guard, a measure that checks the integrity of the signed firmware against digital certificates from the OEM stored directly in the device's program controller hub (PCH). This provides a chain of trust to guarantee boot integrity, because the system will only boot UEFI firmware signed by the OEM.

A process known as Secure Boot then handles the early boot process by checking all code that runs before the OS loads. After that, another process called Trusted Boot checks the validity of the kernel. Then Windows itself, having been verified as securely loaded, can implement its own controls to protect further system operations - often with the assistance of the Intel hardware.

Intel® Trusted Execution Technology (Intel® TXT) marshals the boot process by checking the behavior of boot-time components against a known good sequence, helping to spot any anomalies that could signal a compromise.

For any of this to work, Intel must have a way to securely store secrets in a tamper-free region of the hardware, protecting them from software-based attacks. This is where the trusted platform model (TPM) comes in. A TPM stores secrets such as keys, passwords, and digital certificates directly in the silicon, at a level that attackers cannot reach. Corporate customers typically need fully certified TPMs, which must be discrete (separate chips on the motherboard) under the Trusted Computing Group's specification. So, OEMs will ship discrete TPMs as a default option on machines targeting the corporate market. Conversely, OEMs ship consumer machines normally ship without fully certified discrete TPMs. Intel protects those devices with its own Trusted Platform Module under the name Intel® Platform Trust Technology (Intel® PTT).

Stopping memory-based attacks

Having protected the boot chain, Intel turned its attention to another common attack technique: return-oriented code attacks. Malicious actors will often use an existing program's tendency to jump to different portions of code, altering the location of the code to run. This allows them to take control of the program flow, running code of their own. This is the basis for buffer overflow attacks, which are the bane of developers working in memory-vulnerable languages like C++.

Intel responded with its Intel® Control-Flow Enforcement Technology (Intel® CET), a hardware-level protection introduced in its 11th-generation secure CPUs to thwart attacks that target program flow. Extensions to the chip's instruction set enable it to track program branching so that it can detect anomalies in program jumps. It also offers a similar protection for return-oriented attacks, where the attacker overwrites the portion of the memory stack containing the address for program flow to return to. It uses a shadow stack to protect that return addresses from tampering.

Microsoft baked support for this Intel feature into Windows 10 2H20 with the introduction of Hardware Stack Protection, subsequently adding Kernel-mode Hardware-enforced Stack Protection last year in Windows 11 22H2.

Onwards and upwards

Securing the endpoint is a never-ending journey that requires close collaboration between hardware and software teams, says Venkateswaran. There are many other hardware-assisted features that offer security protections, such as Intel® Threat Detection Technology (Intel® TDT) which uses a processor's integrated GPU to run AI-based analyses of operating system and application-level behavior.

Like Microsoft, Intel also learns from attacks on its own systems. "We have made significant strides in our security assurance, increasing the security assurance investments so that we are proactively finding and fixing bugs," Venkateswaran says. To this end, Intel also has a bug bounty program to reward security researchers who find vulnerabilities in its systems. In 2022, it expanded this program with Project Circuit Breaker, an initiative to encourage community research into the security of more products, including GPUs, chip sets, and hypervisors. It details its findings in an annual security report that it uses to demonstrate how it has fixed new security bugs.

"Intel and Microsoft continue to collaborate closely as a single security team, and delivering security features for our mutual customers," Venkateswaran concludes. "At the end of the day, that's what enables Windows on Intel to have the best security."

Sponsored by Intel.