[German]Microsoft is currently testing a new Kernel Data Protection Technology (KDP) with Windows 10 insiders. According to Microsoft, this is intended to prevent malware or attackers from modifying (damaging) the memory of the operating system.
There are various security technologies such as Code Integrity (CI) and Control Flow Guard (CFG) that prevent memory corruption. If attackers notice this, they shift their tactics towards data corruption, as expected. The attackers then use data corruption techniques to target the system's security policy, escalate privileges, manipulate security certificates, and modify "once-initialized" data structures.
Kernel Data Protection (KDP)
In this Techcommunity article Microsoft now introduces its Kernel Data Protection (KDP) technology. The new Kernel Data Protection (KDP) is designed to prevent data corruption attacks by protecting parts of the Windows kernel and drivers with virtualization-based security (VBS). KDP is a set of APIs that provide the ability to mark part of the kernel memory as read-only. This prevents attackers from ever modifying the protected memory.
For example, Microsoft has seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious unsigned driver. KDP mitigates such attacks by ensuring that policy data structures in the kernel cannot be manipulated.
The concept of protecting kernel memory as read-only provides ways to protect the Windows kernel, inbox components, security products, and even third-party drivers such as anti-cheat and digital rights management (DRM) software. In addition to the important security and tamper protection applications of this technology, there are other benefits to be gained:
- Performance enhancements – KDP reduces the burden on credential components that no longer need to regularly check read-only data variables
- Reliability enhancements – KDP makes it easier to diagnose memory corruption errors that are not necessarily security vulnerabilities
- Encourage driver developers and vendors to improve compatibility with virtualization-based security, thereby increasing the acceptance of these technologies in the ecosystem
DP uses technologies that are supported by default on PCs with a secured core and that implement a specific set of device requirements. KDP enhances the security provided by the features that make up secured-core PCs by adding an additional layer of protection for sensitive system configuration data. Microsoft now provides details on Kernel Data Protection (KDP) in this Techcommunity article.
Cookies helps to fund this blog: Cookie settings