Microsoft Corp. wants to equip Windows computers with a specialized security chip to be built directly into the main processor.

Pluton, as the company calls the chip, will provide protection against threats such as the infamous Meltdown and Spectre exploits. The technology was detailed today in a blog post by David Weston, Microsoft’s director of enterprise and operating system security.

Pluton is intended as a successor to the so-called TPM security coprocessors that are already found in many modern Windows machines. A TPM is a small chip in charge of guarding the encryption keys used by applications. It can also protect other pieces of data used for security purposes, such as certain files used by Windows to verify that a machine’s firmware hasn’t been tempered with by hackers.

But the TPM chip doesn’t provide a perfect defense against cyberattacks. In fact, under certain circumstances, the chip can theoretically be exploited by hackers to compromise the very machine it was designed to protect. That’s the risk the newly announced Pluton coprocessor detailed by Microsoft aims to mitigate.

One of the main security risks associated with TPM chips stems from the fact that they communicate with a machine’s central processing unit through a piece of hardware called a bus interface. In recent years, researchers have demonstrated that an attacker with physical access to a PC could use the bus interface to intercept sensitive data such as encryption keys. Pluton provides a straightforward solution: It’s attached directly to the CPU so there’s no bus interface for hackers to exploit.

Even though it’s closely integrated with a machine’s processor, Pluton runs separately so the encryption keys it stores are isolated from the CPU. Microsoft says the isolation provides protection against attacks that rely on modern CPUs’ speculative execution feature. The most well-known example of such exploits are the Spectre and Meltdown vulnerabilities discovered in 2018, which prompted Intel Corp. to redesign its chips.

Speculative execution is a technique wherein processors perform calculations ahead of time before knowing if they’re needed to speed up computation. Spectre and Meltdown allowed hackers to read these “speculative” calculations to extract data. 

“Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself,” Weston detailed in the blog post announcing Pluton today.

The post didn’t go into detail about the chip’s hardware, but Microsoft did disclose that some of the technology behind Pluton is already used in its Azure Sphere cloud service. The service’s documentation details that it uses a security coprocessor also called Pluton that’s based on an Arm Ltd. design. The Azure Sphere version of Pluton has cryptography-optimized circuits and a hardware random number generator for generating encryption keys. 

Microsoft will work with Intel, Advanced Micro Devices Inc. and Qualcomm Inc. to help them build Pluton into their personal computer processors. Firmware updates to CPU-integrated Pluton chips will be released by Microsoft as part of Windows updates. 

“We believe that processors with built-in security like Pluton are the future of computing hardware,” Weston wrote. “With Pluton, our vision is to provide a more secure foundation for the intelligent edge and the intelligent cloud by extending this level of built-in trust to devices, and things everywhere.”

The company has not yet shared when Pluton will first start appearing in PCs.   

Image: Microsoft