Microsoft Unveils Project Cerberus OCP Hardware for Secure Clouds

Project Cerberus, Microsoft's latest contribution to the Open Compute Project community, makes it tougher for attackers and malware to mess with cloud servers' firmware.

cloud security

Having already tackled cloud servers with Project Olympus OCP (Open Compute Project) hardware designs, Microsoft is now turning its attention to security.

Microsoft unveiled its latest open hardware project called Project Cerberus, which is aimed at helping organizations harden their cloud environments against cyber-attacks, at the Zettastructure conference in London. In Greek mythology, Cerberus is the multiheaded dog that stands guard at the entrance to the Underworld, preventing the dead from escaping.

In data centers, Microsoft hopes Project Cerberus will prevent malware and attackers from invading the cloud workloads.

Kushagra Vaid, general manager of Azure hardware infrastructure at Microsoft, said Project Cerberus "provides a critical component for security protection that to date has been missing from server hardware—protection, detection and recovery from attacks on platform firmware," in a Nov. 8 announcement. "Project Cerberus envisions that data can be processed in the cloud with the confidence that it's running on hardware with uncompromised firmware."

On a technical level, Vaid described Project Cerberus as a hardware "root of trust" that complies with the NIST (National Institute of Standards and Technology) 800-193 Platform Firmware Resiliency Guidelines. Covering both a motherboard's firmware and attached I/O devices, it enforces integrity verification and strict access control that spans the pre-boot process all the way through runtime operations.

Project Cerberus includes a cryptographic microcontroller that runs secure code and intercepts access attempts from the host system to "flash" or update the firmware over the SPI (Serial Peripheral Interface) bus. By continually blocking malicious updates and unauthorized access to a server's firmware, this method locks down one of the most desirable low-level resources on a server, at least from an attacker's perspective.

IT professionals take BIOS (Basic Input/Output System) firmware security very seriously. A successful attack against a motherboard's firmware could give an attacker complete control over an affected system and unrestricted access to the data stored on it. Those with a cruel streak could also use BIOS vulnerabilities not only to gain access to a system, but also to "brick" it, or render it inoperable.

Making matters worse, such attacks can be very difficult to detect, since they run on a foundational level that is outside the purview of anti-malware software. During the Black Hat USA security conference in July, Cylance principal research scientist Alex Matrosov discussed how lax implementations of Intel's BIOS firmware protections, or UEFI (Unified Extensible Firmware Interface), led to privilege escalation flaws on a number of PCs.

Microsoft is working with Intel on draft specifications for Project Cerberus, which the company plans to open source to the OCP. More details are available here.

Meanwhile, Project Olympus, Microsoft's other open hardware initiative, is wending its way across the company's Azure cloud computing platform. Vaid reported that systems based on the specification have been "deployed in volume production" and are powering the company's fastest Azure Virtual Machine (VM) family (Fv2 VMs). Project Olympus systems are also commercially available from Wiwynn and ZT Systems, with more server makers on the way.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the Internet.com network of...