Microsoft has announced the Pluton security processor, a chip-to-cloud security technology that will be built in with CPUs. It is based on technology that was first used with the Xbox One and Azure Sphere.
The processor, which was developed in collaboration with AMD, Intel, and Qualcomm and will debut in their future chips, aims to “make it significantly more difficult for attackers to hide beneath the operating system, and improve our ability to guard against physical attacks, prevent the theft of credential and encryption keys, and provide the ability to recover from software bugs”.
One of the key traits of the Pluton is that it emulates a Trusted Platform Module (TPM) from within the CPU, with the emulation being compatible with current TPM specifications and APIs. A TPM is a hardware component separate from CPUs that provides security functions, and Microsoft says that its efficiency has led to attackers becoming more innovative with their attacks. The company also said that these attacks target the communication channel between a CPU and TPM, which is why the Pluton does away with needing that channel.
In addition, data like encryption keys will be stored within the Pluton, which also has the Secure Hardware Cryptography Key technology to prevent keys from being revealed outside of the hardware being protected. Microsoft added that the Pluton is isolated from the rest of the system to prevent access attempts like speculative execution.
Microsoft is also using the Pluton to address how firmware is updated via multiple sources. In lieu of that, the Pluton will be "a flexible, updateable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft”. Its integration with Windows Update was likened to the Azure Sphere Security Service’s relationship with IoT (Internet of Things) devices.
“With the effectiveness of the initial Pluton design we’ve learned a lot about how to use hardware to mitigate a range of physical attacks,” said Microsoft. “Now, we are taking what we learned from this to deliver on a chip-to-cloud security vision to bring even more security innovation to the future of Windows PCs.”