The Pluton security co-processor is built in collaboration with AMD, Intel, and Qualcomm, and will be used to protect credentials, user identities, encryption keys, and personal data. Although it was announced yesterday for Windows 10 PCs, Pluton has been used to protect the Xbox One since 2013.
Microsoft explained in a press release that Pluton addresses the communication vulnerabilities between the processor and the trusted platform module (TPM), a discrete security chip used in authentication features like Windows Hello and BitLocker. Because of its critical role, attackers have begun exploring its weaknesses to take control of the host system, specifically by intercepting its communication with the processor while they’re in transit. Previously, it has been demonstrated that an attacker can extract BitLocker keys stored within the TPM using a cheap FPGA board and publicly available code.
Pluton aims to solve this issue by embedding itself directly into the processor. It will emulate a TPM that works with existing TPM specifications and APIs to reduce integration complexities. Microsoft claims that none of the information it stores can be removed from Pluton even if the attacker has complete physical access to the PC.
Sensitive data like encryption keys are stored in Pluton itself and isolated from other components. This hardens it against emerging techniques such as speculative execution. Moreover, by adding Secure Hardware Cryptography Key (SHACK) to Pluton, the security keys are contained only to the protected hardware. Not even the Pluton firmware itself has access to them.
In addition, Pluton will provide a more secure way to update firmware by providing a platform that’s managed and maintained by Microsoft. This is another improvement to Microsoft’s Secured-core initiative, a project aimed to defend against firmware attacks that are becoming increasingly prevalent. In a blog post, Microsoft said that firmware has become an attractive target for attackers since they have higher access privileges. Attacks against firmware can circumvent traditional safeguards like secure boot implemented by the operating system.
One of the countermeasures of Secured-core against firmware attack is the Windows Defender System Guard that establishes a dynamic root of trust.
In an email to IT World Canada, Microsoft said Pluton is complementary to Secured-core, but a system could have Pluton on its own, or with Secured-core. Pluton will help increase overall system security by building on existing TPM protections.
Pluton will work together with security systems already embedded in today’s processors, such as the AMD Security Processor (ASP), an ARM-based security subsystem built into nearly all modern AMD processors. AMD described their separate roles in its news release: “Pluton helps provide security to Windows PC systems by acting as an integrated hardware root of trust for the Windows ecosystem while ASP acts as the silicon hardware root of trust which helps provide integrity by authenticating initial firmware loaded on the platforms.”
Intel, AMD, and Qualcomm have yet to disclose when Pluton will arrive in their products but expect them sooner than later.