[German]The Windows Platform Security Team discusses the technology that secure core PCs can protect Windows against attacks on the kernel, e.g. by compromised drivers.
I had already read the information recently, but again I became aware of this article via the following tweet.
— Dave dwizzzle Weston (@dwizzzleMSFT) March 17, 2020
In this post, people from Microsoft discusses the way through the issue of gaining kernel privileges by exploiting legitimate kernel drivers.
Abusing kernel drivers for privilege escalation
Acquiring kernel privileges by exploiting legitimate but vulnerable kernel drivers has become an established tool of choice for advanced attackers. Several malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish and Sauron, as well as campaigns by the threat actor STRONTIUM, have exploited driver vulnerabilities (e.g. CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and in some cases effectively disable security agents on compromised machines.
Secured Core PCs as a countermeasure
In October 2019 Microsoft introduced a new development, the Secured Core PCs with additional protection against firmware attacks. I had reported about it in the blog post Microsoft Introduces Secured Core PCs w. Firmware Protection.
Secured-core PCs are devices that use a range of security technologies to prevent firmware-level attacks. Microsoft intends to integrate software-based protection on operating systems and related services. Microsoft has worked internally and externally with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac to introduce a new class of devices called Secured Core PCs.
These Secured Core PCs must meet “a set of specific device requirements that apply the security best practices of isolation and minimal reliance on the firmware layer or device core that supports the Windows operating system. The devices are aimed at companies that handle highly sensitive information, such as financial institutions, government agencies, and so on.
Details of how Microsoft envisages securing Secured Core PCs using TPM 2.0 or higher, Windows Defender System Guard, HVCI Kernel DMA protection etc. can be read in this blog post.