Microsoft has announced its Pluton processor, a forthcoming chip that lives apart from the main CPU and which will be available in future Windows 10 PCs.
The Microsoft Pluton processor is designed to improve protections against physical attacks and stop attackers stealing user credentials and encryption keys with malware. The chip should also help systems recover from software bugs.
Essentially, the Pluton chip is a Trusted Platform Module (TPM) that’s isolated from the rest of the system to help protect encryption keys from attacks on the speculative execution process in CPUs.
Microsoft promises Pluton will make it easier to keep system firmware up to date, for example, in cases when TPM firmware for separate security processors is required.
In Intel’s case, the Pluton processor will ship with future chips but will be isolated from their cores. However, at present there’s no precise timeline for the appearance of the first Intel chips containing the Pluton security processor.
Pluton will be integrated with the Windows Update process on Windows 10 PCs, according to Microsoft. The chip is an up-dateable platform for running firmware that implements end-to-end security that is authored, maintained, and updated by Microsoft.
The firmware updates will follow the same process that the Azure Sphere Security Service uses to connect to IoT devices.
Microsoft notes that the Pluton design was in fact introduced as part of the integrated hardware and OS security capabilities in its Xbox One game console with AMD chips released in 2013, and also within Azure Sphere.
“Our question was how could we build the most secure PC by taking advantage of the best hardware Intel and others have and integrating that into the operating system. This is really the next evolution,” David Weston, Microsoft’s partner director of enterprise and OS security, told ZDNet.
Microsoft is also planning to release Pluton security processors with AMD and Qualcomm Technologies.
“Microsoft has developed this security processor. We’re partnering with Intel to actually stick it into their CPUs. We all know how powerful and capable Intel CPUs are, as well as all the other security capabilities they have in the platform. But to us, this is cementing that the PC ecosystem has unmatched innovation,” Weston continued.
“The Pluton processor is not bolted on. It’s right in there, and you get security as well because there’s very little attack surface around the processor.”
Weston said Pluton represents a big change from the Secured-Core Windows 10 PCs that Microsoft announced last year, which have been available in higher-end laptops aimed at business users.
Some of the more advanced physical attacks techniques available today can target the communication channel between the CPU and TPM, which is typically a bus interface, Microsoft explains.
While this interface allows for information to be shared between the main CPU and security processor, attackers in possession of the device can steal or modify information in transit.
“Pluton is for the entire Windows PC ecosystem. We are putting this in Intel chips and it will be available to everybody as a security baseline,” said Weston.
He notes that customers used to have to explicitly choose and then go buy a security processor, and then pick a different vendor.
“We’re making that dead simple. You buy an Intel processor, you have this Intel-Microsoft security processor that is 10 years of evolution based on what we learned from the TPM,” said Weston.
“You’re getting better protection against physical attacks, you’re getting Microsoft verification of firmware to stop some of the new firmware attacks, and we’re going to update this thing every month just like it’s Patch Tuesday.”
He added that Microsoft is collaborating on authoring the hardware and firmware. “You don’t have to think that much about how you’re going to manage or maintain it.”
Weston argued that a lot of challenges in the ecosystem today arise from problems with keeping security processors up to date.
“You have different places you have to go and source [updates]. This makes it deadly simple. It’s my team that builds Windows BitLocker and Windows Hello and all the great technologies that take advantage of this security processor are also now we’re working with Intel to build it,” he said.
“So we have this deep integration that’s going to pay off in spades in terms of user experience and the security fundamentals.”