Microsoft has unveiled the blueprint for a new open sourced industry standard for platform security called Project Cerberus. It will enable organizations to tighten the security around cloud environments with more secure firmware implementations that can detect, protect and recover from the cyber-attacks.
Project Cerberus provides a hardware root of trust on the motherboard (UEFI BIOS, BMC, Options ROMs) and peripheral I/O devices, for all platform firmware, by strictly enforcing access control and integrity verification, beginning from pre-boot to runtime.
Cerberus chip will protect platform firmware from various threats, including malicious insiders or employees with access to hardware and administrative privileges; and malware and hackers exploiting hypervisor, application and operating system bugs. It will also defend against the supply chain attacks and compromised firmware binaries.
“Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system,” Kushagra Vaid GM, Azure Hardware Infrastructure, wrote in a blog post.
Project Cerberus comprises a cryptographic microcontroller that runs safe code which intercepts accesses from the host to flash on the SPI bus, where firmware is there, so that it can measure and attest accesses continuously for ensuring firmware integrity, thereby protecting against malicious updates and unauthorized access. This provides robust pre-boot, boot-time and runtime integrity for system’s firmware components. The Cerberus specifications are CPU and I/O architecture agnostic, and can be implemented on all platform types across the industry, whether it’s datacenter or IoT device.
Microsoft is planning on open sourcing the Cerberus specifications to Open Compute Project (OCP), and is collaborating with Intel for best implementation models that can secure platform firmware. It is also working with NIST to deliver feedback on 800-193 draft specification.
Project Cerberus and the complete design of its Project Olympus that was half-complete when launched last year, were introduced by Microsoft at Zettastructure – the European digital infrastructure conference. Microsoft said that Olympus has now been completed, and is running on some of its Azure data centers.
Microsoft also said that it invests over one billion dollar every year on cybersecurity, most of which goes on making Azure the most trusted platform.