In an attempt to combine hardware and software protection more closely and potentially eradicate whole attack vectors, Microsoft says its aim is to incorporate security into the CPU. In Xbox and Azure Sphere IoT protection solutions, the technology that drives Pluton, which the company has described as “chip-to-cloud security technology,” has already been used, and Microsoft now wants to introduce it to Windows PCs. Currently, PCs use the Trustworthy Platform Module (TPM) to store encryption keys and data required to maintain device integrity, but when going through the communication channel between the TPM and the CPU, this data is still exposed to attacks, particularly if the attacker has physical access to the target system. Through storing encryption keys and other confidential data within the processor, Pluton intends to counter this, thus minimizing the exposure of the communication channel and offering protection from speculative execution and other forms of attacks. Microsoft explained, “Windows PCs using the Pluton architecture will first simulate a TPM that fits with current TPM standards and APIs, enabling customers to benefit directly from improved security for Windows features that depend on TPMs such as BitLocker and Device Guard.” To secure passwords, user accounts, encryption keys, and personal data, Windows devices with Pluton can use the Pluton security processor. And if an intruder has mounted ransomware or has full physical control of the PC, none of this knowledge can be deleted from Pluton.
The technology will be integrated into Intel, AMD, and Qualcomm’s future CPUs, but it is unclear when the new processors will be made available to end-users. Microsoft told that it is not currently sharing any detailed scheduling or roadmap details. AMD said the security processor Pluton would be “tightly integrated” into potential customer CPUs and accelerated processing units (APUs), which would also include the security processor of AMD itself. “[AMD Security Processor (ASP)] and Microsoft Pluton help secure the sensitive and personal information of customers, whether they are on the move or linked to a business network, even though they have lost or stolen their laptop,” AMD said. “The integrated architecture gives enhanced security against attackers trying to conceal malicious code in the device or using advanced physical attacks to intercept passwords or encryption keys.”