20-07-2021 | | By Sam Brown
The recent announcement of Windows 11 and Intel’s development of increased hardware security demonstrate how hardware security will continue to grow in importance. What challenges does software security face, how are Intel and Windows 11 taking advantage of hardware security, and why will the future of security lie in hardware?
Since the dawn of the computer virus, computers have been under constant attack, whether from nuisance viruses that wipe system files or more recent ransomware that holds computer users’ hostage. Fighting against malware has created a billion-dollar industry that is software security, and such software systems run alongside operating systems and actively look for threats to eliminate.
However, software security can only do so much, and more cyberattacks focus on hardware instead of software. One of the biggest challenges faced with software security is that such systems operate in the same environment as operating systems and malware. In other words, software security is essentially code trying to find destructive code.
This is a challenge for software security as it only allows software security to protect software. While software security can prevent unauthorised access to ports on networks and access to files, it cannot prevent the CPU from executing specific instructions or access to protected areas in memory. For example, software security would not be able to protect a user from a hardware attack against RAM whereby malware uses bit manipulation to read protected areas of RAM via neighbour interference (that is where bits in a protected area of memory can be manipulated by toggling nearby bits in unprotected areas of memory).
The inability for software security to fully protect a system further extends to the booting process; software security that is loaded after the operating system is loaded would never prevent malware located in the booting process. Malware that is loaded on boot may even appear to be a privileged process that could be seen as an operating system function instead of a piece of malicious code.
Of course, software security is also plagued with other challenges, including the consumption of system resources, the need to be frequently updated, and the need to be correctly configured. Simply having software security running on a system is not enough to protect from all attacks, and the increasing number of hardware attacks is showing the weakness of software security.
Recently, Microsoft demonstrated their latest operating system, Windows 11, which is essentially a combination of Windows 10 with Windows Visa (they are bringing back widgets that should have died with Windows Vista). Around the same time, Intel also announced that it will be looking into hardware to help Endpoint Detection and Response (EDR) services, including software security.
Recognising the challenges faced by EDR, Intel is researching the development of hardware accelerators for machine learning and cryptography to improve the performance of EDR. For example, Intel’s 11th generation processors utilise a Threat Detection Technology system that can identify operations commonly found in malware, and once detected, can inform EDR services to inspect the task that requested the operation. This has been demonstrated with the ability for Intel processors to recognise encryption tasks that are commonly used by ransomware.
Windows 11 is also taking advantage of hardware security by better utilising Intel’s Threat Detection Technology. However, Windows 11 is also taking hardware security further by only supporting hardware that utilise a Trusted Platform Module 2.0. Such hardware is often found inside modern processors, but older systems may integrate a separate module on the motherboard that provides trusted boot services. However, this also means that older systems that can run Windows 10 may not be able to support Windows 11 simply due to not having a Trusted Platform Module or CPU that is compatible with Windows 11.
Fundamentally, hardware security runs on a different plane of existence to software; a similar comparison would be 3D beings such as humans trying to understand 4D beings. The software can only operate on the hardware it sits on, and software is generally unable to manipulate the hardware to the same degree that it can affect software.
Of course, software attacks can take advantage of poorly designed hardware (such as side-chain attacks on CPUs to execute arbitrary code), but at the end of the day, it is hardware that runs software, not the other way around. This means that hardware security will always have power over software, and any anomalous execution that is detected can cause a hardware interrupt, which would force the CPU to take action. No amount of software would be able to interfere with such hardware as it would operate outside the realm of the CPU, and if properly designed, interrupts to the CPU could be non-maskable and always enabled.
The ability to integrate security features into silicon helps to catch malware before it becomes a problem, but it can also help reduce system resources by reducing or removing the need for software security (especially on low-end systems such as IoT devices). This would see more system resources dedicated to tasks that are required to be executed, and the lack of software security would remove the need for constant updates. However, it is more likely that software and hardware security will work together whereby hardware security ensures a trusted environment with no pre-loaded malware while software can identify malicious code being stored and executed on the system.
Overall, the move towards trusted platform modules and integrated hardware security into processors demonstrates the growing need for hardware security. Software security can only do so much, and hardware security would help create a confidential computing environment that would see data encrypted on the fly, detect unauthorised malware on boot, and detect malicious code in real-time.