Microsoft's new Kernel Data Protection will make kernel memory read-only and block attacks on Windows 10
Microsoft has revealed details of a new platform security technology which the company says will prevent data corruption attacks.
Kernel Data Protection (KDP) works by marking sections of kernel memory as read-only, so there is no way it can be tampered with. The technology comes in response to the fact that increasing numbers of attackers are using data corruption techniques to bypass security, gain additional privileges, and more.
- Microsoft pushes out another update to PowerToys for Windows 10
- How to enable the new Start menu in Windows 10
- How to uninstall Microsoft Edge from Windows
The shift in attack patterns, Microsoft believes, has come about because attackers that try to use memory corruption techniques are stopped in their track by the likes of Code Integrity (CI) and Control Flow Guard (CFG) security technologies. Switching to data corruption attack vectors is a logical sidestep, but Microsoft's new KDP security technology is ready to stand in the way.
Microsoft's Base Kernel Team explains:
Kernel Data Protection (KDP) is a new technology that prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS). KDP is a set of APIs that provide the ability to mark some kernel memory as read-only, preventing attackers from ever modifying protected memory. For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver. KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.
The team also explains that there are benefits to using KDP besides increasing security:
- Performance improvements -- KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
- Reliability improvements -- KDP makes it easier to diagnose memory corruption bugs that don't necessarily represent security vulnerabilities
- Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
In order to benefit from KDP, a system simply needs to support virtualization-based security (VBS), the technology upon which it is built.
Technical details of how the different varieties of KDP works can be found in this blog post.