2021 and into 2022 have seen continued innovation in the attack landscape as cybercriminals refine tactics and tools to evade defenses. 2021 saw the highest year on record for zero-day exploits, increased firmware attacks and new tampering attacks targeting security agents. Microsoft and our silicon partners have been vigilant in working to address these trends and we’re proud to share that Qualcomm and Microsoft have partnered on innovations designed to help keep the security capabilities in Windows 11 ahead of attackers.
We’re excited today to announce that the Lenovo ThinkPad X13s, built with the Qualcomm Snapdragon 8cx Gen 3, is the first ARM platform for Windows that is built on the Microsoft Pluton security architecture. Pluton is at the center of the security capabilities for Windows 11 providing protection in the boot, identity, credential protection and encryption processes. Pluton also supports chip-to-cloud zero trust using the Azure Attestation Service with Intune. Beyond integrating Pluton, the Lenovo ThinkPad X13s is also a certified secured-core PC, which provides the best possible security capabilities for Windows 11 right out of the box.
Pluton provides security from the chip to the cloud
Microsoft Pluton is a security processor architecture, pioneered in Xbox and Azure Sphere, that is designed to store sensitive data, like encryption keys, securely with hardware that is integrated into the die of a device’s CPU. This makes access more difficult for attackers, even if they have physical possession of a device.
Windows 11 PCs built on top of Qualcomm’s latest Snapdragon 8cx Gen 3 Compute Platform, with Qualcomm® Secure Processing Unit (SPU), will leverage advanced hardware capabilities from Microsoft Pluton and Pointer Authentication Codes (PAC). Pluton will leverage advanced hardware capabilities while built-in security countermeasures from PAC protect against common exploit patterns to help customers strengthen their device security posture. On Windows 11 PCs like the Lenovo ThinkPad X13s built with the Qualcomm Snapdragon 8cx Gen 3 Compute Platform, Pluton will provide customers with:
- Security updates delivered from the cloud to Pluton
Alongside support for standard industry controls, Microsoft will help keep the Pluton security processor’s firmware up to date through the Windows Update process.
- Physical attack resistance
With Pluton being on the die of the device’s System on a Chip (SoC), attack vectors like bus interfaces that pass data between the SoC and other components on a motherboard are not exposed to physical attacks.
- Trusted, proven security built alongside our partners
Built on approaches and technologies used in Xbox and Azure Sphere, Pluton is the result of years of collaboration between Microsoft and Qualcomm Technologies and our other ecosystem partners. Alongside other lessons learned from Xbox that have been incorporated into secured-core PCs which help reduce malware instances by 60% and the Windows 11 hardware baselines, Pluton helps to protect sensitive data and add visibility to the boot process in tamper-resistant ways.
ARM pointer authentication in the QC 8CX G3 helps customers stay ahead of zero-day exploits
With zero-day exploits targeting memory safety issues reaching record numbers in 2021, Microsoft has continued investing in mitigations against sources of vulnerabilities, including partnering with silicon providers to launch new capabilities like hardware shadow stacks which help disrupt common zero-day exploit techniques. The hardware stack protection (HSP) feature in Windows 11 leverages hardware support to efficiently store return addresses in a shadow stack alongside the software call stack in all programs. This helps to address a common attack in zero-day exploits where the software stack is modified or hijacked to execute malicious code. With the HSP feature the software stack must match the return addresses store in hardware. If there is a mismatch, a process is safely terminated by the operating system, preventing a successful attack.
With Windows 11 on the Snapdragon 8cx Gen 3, the ARM pointer authentication hardware capability provides similar robust mitigation against exploits that leverage return-oriented programming (ROP) or stack modification techniques on ARM-based Windows systems.
Windows binaries are compiled with Pointer Authentication Code instructions, injecting a hash (the PAC) for return addresses at function prologue and verifying the hash immediately before function return to verify that the return address has not been tampered. Windows 11 utilizes the Snapdragon 8cx Gen 3 hardware schemes to generate and verify the PAC to provide resilience against attacks that overwrite the intended return address. This helps to break a common technique attackers use to try to execute malicious code.
Windows 11 and the Snapdragon 8cx Gen 3 provide advanced capabilities like Microsoft Pluton, Secured-core firmware protection and ARM Pointer Authentication, which together provide the best level of protection for Windows PCs. With devices like the Lenovo ThinkPad X13s with Windows 11, customers are empowered to work and play from anywhere with greater peace of mind knowing that protection is built-in from the chip to the cloud to keep attackers at bay.