Microsoft has unveiled a new feature of
Windows 10 which aims to counter cyber attacks
making It is impossible for attackers to modify sensitive parts of the kernel memory containing data from a PC. Functionality is called
Kernel Data Protection, KDP for short. Microsoft, through a post by Andrea Allievi, Senior Core OS Engineer, explained by thread and by sign why KDP was born, what its purpose is and what are the benefits related to this novelty.
KDP was designed for block attacks that aim to compromise Windows systems by corrupting the memory containing data. The technology was designed to support HVCI (hypervisor-protected code integrity), which allows memory containing executable code to be read-only. Some types of malware, for example, try to manipulate sections containing data used by drivers for install a malicious driver on the computer to be affected. This is for an example only, because KDP can also help when an attacker modifies a driver data section to obtain indirect code execution.
“KDP is intended to protect drivers and software running in the Windows kernel (ie the operating system code itself) from data-driven attacks, “wrote Pupils in the post.”
Consequently, no software running in the NT kernel (VTL0) will ever be able to modify the contents of the protected memory“.
“For example, we have seen attackers use signed but vulnerable drivers to attack the policies of the Code Integrity module and install an unsigned malicious driver. KDP mitigates these attacks by ensuring that this policy cannot be compromised.” KDP relies on another low-level feature called VBS (Virtualization Based security) for data protection. VBS uses the native virtualization capabilities of Windows 10 to create a protected environment (which uses a sort of mini virtual machine), and to guarantee the main operating system multiple security functions (HVCI, Hyperguard, SKCI, Secure Enclaves).
Microsoft allow developers to interact with KDP through a set of APIs. In addition to making Windows more secure, KDP could improve performance and have useful applications for partners, such as those who create software dedicated to cyber security or anti-cheat for video games. Another bonus that helps developers find bugs in programs. “KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities,” said Pupils.
KDP available in testing in the latest Windows Insider build. To take advantage of the technology, a system that supports VBS virtualization is needed (in 2020 practically a “standard”), as well as a couple of other hardware features such as second level address translation and virtualization extensions from Intel, AMD or ARM. These features are among the many enabled on high-end laptops part of Microsoft’s Secured-Core PC initiative.