Microsoft just announced the launch of a new security technology called Windows Defender System Guard runtime attestation. It’s built into the core Windows operating system and will be delivered to all Windows editions in the near future. Here’s a bit more about the technology and the security benefits it can offer.
What is Windows Defender System Guard runtime attestation?
At its most basic level, Windows Defender System Guard runtime attestation is a client API that will eventually be exposed to a relying party. The idea is that it gives users a method for attesting to the state of their devices and then a way to perform runtime reports in order to evaluate system components.
This security update is thanks in part to the company’s recent reorganization of system integrity features in the Windows 10 Fall Creators Update. This is where Windows Defender System Guard came to be, allowing the company to continually update and add innovations in the area of platform security. So once the first phase of Windows Defender System Guard runtime attestation is added to the Windows platform, it will also be continually updated with new features and support in an effort to create an environment where security violations are observable and effectively communicated in the event of a full system compromise, such as through a kernel-level exploit.
How does it work?
Currently, Microsoft is working toward providing an API that relying parties can use to attest to the state of their devices at that particular point in time. Then, the API returns a runtime report that details all of those claims about the security posture of the system, including assertions about sensitive system properties.
For each runtime report to actually have meaning, it has to provide reasonable resistance against tampering. This means that the generation must be isolated from an attacker, it must be attestable, and it must be cryptographically signed in a manner that is irreproducible outside the isolated environment. Virtual Secure Mode and VBS enclaves are sometimes used in order to create virtualized environments that allow users to pinpoint the data that is secure.
Once you have data that can be included in trusted reports, Windows Defender System Guard can perform a runtime measurement in order to assert the system integrity at runtime, with the security level attesting to security posture.
There are a lot more details that go into the new security feature. You can learn more on Microsoft’s website and then look out for it in the next Windows update.