Microsoft on Thursday announced Windows Defender System Guard runtime attestation, a new Windows platform security technology set to roll out to all editions of Windows.
Meant to mitigate attacks in software, the runtime attestation takes advantage of the same hardware-rooted security technologies in virtualization-based security (VBS) as Credential Guard, Microsoft says.
The new security technology can provide supplementary signals for endpoint detection and response (EDR) and antivirus vendors, and can detect artifacts of kernel tampering, rootkits, and exploits. Moreover, it can be used for preventing cheating in games, protecting sensitive transactions (banking apps, trading platforms), and providing conditional access (enabling device security-based access policies).
“Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. This hardware-rooted ‘proof-of-health’ can then be used to identify compromised machines or gate access to critical cloud services. Runtime attestation serves as a platform for a wide variety of advanced security applications,” Microsoft notes.
The first phase of Windows Defender System Guard runtime attestation will arrive with the next Windows 10 update to lay the groundwork for future innovation, Microsoft says. It will allow for the building of new operating system features to detect and communicate violations of security promises in the event of a full system compromise, such as through a kernel-level exploit.
Microsoft is also working on delivering a client API for using runtime attestation. The API would deliver a runtime report containing information from Windows Defender System Guard runtime attestation on the security posture of the system, which includes runtime measurements of sensitive system properties.
“For the runtime report to have any significant meaning, it must be generated in a fashion that provides reasonable resistance against tampering,” Microsoft explains.
Because of that, the runtime report generation must be isolated from an attacker, the isolation must be attestable, and the report must be cryptographically signed in such a manner that an attacker cannot reproduce outside the isolated environment.
This is where the virtualization-based security enclaves enter into play. These make the connection between a ‘normal’ world running the NT kernel and a ‘secure’ world running a Secure Kernel. From the VBS enclave, the runtime attestation can attest to a set of security properties contained in a report.
“VBS enclaves can also expose an enclave attestation report signed by a VBS-specific signing key. If Windows Defender System Guard can obtain proof that the host system is running with VSM active, it can use this proof together with a signed session report to ensure that the particular enclave is running,” the tech giant explains.
The runtime report is signed with a private key that never leaves the enclave. A session report produced by the Windows Defender System Guard attestation service backend is also signed. Both reports can be verified by relying parties by checking the signatures against the session certificate and ensuring the certificate is validly signed, rooted in the relevant Microsoft CA.
While networking calls between the enclave and the Windows Defender System Guard attestation service are made from the NT kernel, the attestation protocol has been designed in a manner that ensures its resiliency against tampering even over untrusted transport mechanisms, Microsoft says.
A security level is assigned to each attestation service-signed session report, thus informing on what level of trust in the runtime report can be expected. The highest level of trust likely requires VBS-capable hardware and OEM configuration; dynamic root-of-trust measurements at boot; secure boot to verify hypervisor, NT, an SK images; and a secure policy ensuring hypervisor-protected code integrity (HVCI)-enforced kernel mode code integrity (KMCI), and that test-signing and kernel debugging are disabled.
“The security level exposed in the session report is an important and interesting metric in and of itself. However, Windows Defender System Guard can provide so much more – specifically in respect to runtime measurement of system security posture,” Microsoft notes.
The assertion logic will be delivered in-band in the next update to Windows, but Microsoft aims at delivering the scripts out-of-band in the future. The approach would allow the company to immediately respond to security events without delivering a component update via servicing.
“Future innovations will make achieving persistence harder, making transient malicious changes more difficult. The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable. One can think of runtime attestation as being more about detecting minute symptoms that can indicate an attack rather than looking for flashing signals,” Microsoft says.