Windows Defender System Guard:基于硬件的信任根如何帮助保护 Windows 10Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10

为了保护 Windows 身份验证堆栈、单一登录令牌、Windows Hello 生物识别堆栈和虚拟受信任平台模块等关键资源,系统的固件和硬件必须可信。In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.

Windows Defender System Guard 重新组织现有 Windows 10 系统完整性功能,并设置 Windows 安全性的下一组投资。Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. 它旨在提供以下安全保证:It's designed to make these security guarantees:

  • 在系统启动时保护和维护系统的完整性Protect and maintain the integrity of the system as it starts up
  • 验证是否通过本地和远程证明真正维护了系统完整性Validate that system integrity has truly been maintained through local and remote attestation

在启动时维护系统的完整性Maintaining the integrity of the system as it starts

SRTM 中用于度量的静态 (根) Static Root of Trust for Measurement (SRTM)

在 Windows 7 中,攻击者用于保留和规避检测的一个方法就是在系统上安装通常称为 bootkit 或 rootkit 的项。With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. 此恶意软件将在 Windows 启动之前启动,或在启动过程本身期间启动,从而使它能够从最高级别的特权开始。This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.

Windows 10 在新式硬件 ((即经过 Windows 8 认证或更高版本)上运行时) 基于硬件的信任根可帮助确保任何未经授权的固件或软件 (如 bootkit) 都可以在 Windows 启动加载程序之前启动。With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. 此基于硬件的信任根来自设备的安全启动功能,该功能是统一可扩展固件接口 (UEFI) 。This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 这种测量静态早期启动 UEFI 组件的技术称为 SRTM (测量的静态) 。This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).

由于成千上万的电脑供应商生成具有不同 UEFI BIOS 版本的大量型号,因此在启动时,SRTM 测量数量变得非常大。As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. 此处存在两种建立信任的技术:维护已知"错误"SRTM 度量列表 (也称为阻止列表) ,或已知"良好"SRTM 度量列表 (也称为允许列表) 。Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list). 每个选项都有一个缺点:Each option has a drawback:

  • 已知"错误"SRTM 度量列表允许黑客在组件中仅更改 1 位,以创建需要列出的全新 SRTM 哈希。A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. 这意味着 SRTM 流本质上是轻量型的 , 一个小更改会使整个信任链失效。This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
  • 已知"良好"SRTM 度量列表要求仔细添加每个新的 BIOS/PC 组合度量,这速度很慢。A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. 此外,UEFI 代码 Bug 修复可能需要很长时间才能设计、生成、重新测试、验证和重新部署。In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.

安全启动 - 用于测量的动态信任根 (DRTM) Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)

Windows Defender Windows 10 版本 1809 中首次引入的 System Guard 安全启动旨在通过利用称为"用于测量的动态信任根"技术 (DRTM) 。Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM 允许系统最初自由启动到不受信任的代码,但在将系统启动到受信任状态后不久,通过控制所有 CPU 并强制它们关闭已知且测量的代码路径。DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. 这样做的好处是允许不受信任的早期 UEFI 代码启动系统,但随后能够安全地过渡到受信任且测量的状态。This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.

System Guard 安全启动

安全启动简化了 SRTM 度量的管理,因为启动代码现在与特定硬件配置无关。Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. 这意味着有效代码度量的数量很小,并且可以更广泛、更快速地部署未来的更新。This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.

系统管理模式 (SMM) 保护System Management Mode (SMM) protection

系统管理模式 (SMM) 是 x86 中一种特殊用途的 CPU 模式,可处理电源管理、硬件配置、热监视和制造商认为有用的任何其他内容。System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. 每当请求这些系统操作之一时,都会在运行时调用非可屏蔽中断 (SMI) ,这将执行 BIOS 安装的 SMM 代码。Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. SMM 代码在最高特权级别执行,并且对操作系统不可见,这使得它成为恶意活动极具吸引力的目标。SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. 即使 System Guard 安全启动用于延迟启动,SMM 代码也可以访问虚拟机监控程序内存并更改虚拟机监控程序。Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. 为防御这种情况,使用了两种技术:To defend against this, two techniques are used:

  1. 分页保护,以防止对代码和数据进行不当访问Paging protection to prevent inappropriate access to code and data
  2. SMM 硬件监督与证明SMM hardware supervision and attestation

可以实施分页保护,将某些代码表锁定为只读以防止篡改。Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. 这将阻止访问任何未专门分配的内存。This prevents access to any memory that has not been specifically assigned.

硬件强制执行的处理器功能(称为主管 SMI 处理程序)可以监视 SMM,并确保它不会访问不应访问的地址空间的任何部分。A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to.

SMM 保护基于安全启动技术构建,要求它正常运行。SMM protection is built on top of the Secure Launch technology and requires it to function. 将来,Windows 10 还将测量此 SMI 处理程序的行为,并证明操作系统拥有的内存未被篡改。In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with.

在 Windows 运行时运行后验证 (完整性) Validating platform integrity after Windows is running (run time)

尽管 Windows Defender System Guard 提供了高级保护,有助于在启动期间和运行时保护和维护平台的完整性,但现实是,我们必须将"假设泄露"意识应用到我们的最复杂的安全技术。While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. 我们可以信任这些技术能够成功完成他们的工作,但我们还需要能够验证它们是否成功完成了目标。We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. 当涉及到平台完整性时,我们不仅仅是信任可能受到威胁的平台,来自我证明其安全状态。When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. 因此Windows Defender System Guard 包括一系列支持远程分析设备完整性的技术。So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.

当 Windows 10 启动时,Windows Defender System Guard 使用设备的受信任的平台模块 2.0 (TPM 2.0) 。As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard 安全启动将不支持早期 TPM 版本,如 TPM 1.2。System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. 此过程和数据与 Windows 与硬件隔离,以帮助确保测量数据不受平台损坏时可能发生的篡改类型影响。This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. 在此处,测量可用于确定设备固件、硬件配置状态和 Windows 启动相关组件的完整性,仅提供几个指标。From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few.


系统启动后,Windows Defender使用 TPM 对系统防护进行标记并密封这些测量。After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. 根据请求,管理系统(如 Intune 或 Microsoft Endpoint Manager)可以获取它们进行远程分析。Upon request, a management system like Intune or Microsoft Endpoint Manager can acquire them for remote analysis. 如果Windows Defender System Guard 指示设备缺乏完整性,则管理系统可以执行一系列操作,例如拒绝设备访问资源。If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.