Posted on Thursday, July 09 2020 @ 12:35 CEST by Thomas De Maesschalck
Microsoft explains how it works on its security blog. Kernel Data Protection is a set of APIs that allow developers to mark some kernel memory as read-only. Besides for the Windows kernel, it also has applications for security products, anti-cheat technology, and digital rights management (DRM) software. The software giant also mentions that besides enhancing OS security, Kernel Data Protection also boosts performance and increases reliability.
Kernel Data Protection (KDP) is a new technology that prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS). KDP is a set of APIs that provide the ability to mark some kernel memory as read-only, preventing attackers from ever modifying protected memory. For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver. KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.It's unknown when Kernel Data Protection will be added to the regular Windows 10 builds.
The concept of protecting kernel memory as read-only has valuable applications for the Windows kernel, inbox components, security products, and even third-party drivers like anti-cheat and digital rights management (DRM) software. On top of the important security and tamper protection applications of this technology, other benefits include:
Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
