Microsoft introduces a new security technology- Kernel Data Protection(KDP) for preventing data corruption on Windows 10
It seems that Microsoft is aiming for a major improvement in the data security section as previously we saw the company launched Advanced threat protection for Windows, Linux, and Android Smartphones. Now as posted on the Microsoft official blog the company has now introduced Kernel Data Protection, a new platform security technology for preventing data corruption.
Kernel Data Protection (KDP) is a new technology that prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS). KDP is a set of APIs that provide the ability to mark some kernel memory as read-only, preventing attackers from ever modifying protected memory.
For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver, KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.
Besides adding memory and security protection to Windows 10 devices, KDP also comes with several added benefits, including:
- Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
- Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities
- Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
In VBS environments, the normal NT kernel runs in a virtualized environment called VTL0, while the secure kernel runs in a more secure and isolated environment called VTL1.KDP is intended to protect drivers and software running in the Windows kernel (i.e., the OS code itself) against data-driven attacks. It is implemented in two parts:
- Static KDP enables software running in kernel mode to statically protect a section of its own image from being tampered with from any other entity in VTL0.
- Dynamic KDP helps kernel-mode software to allocate and release read-only memory from a “secure pool”. The memory returned from the pool can be initialized only once.
Getting started with KDP
Both dynamic and static KDP do not have any further requirements other than the ones needed for running virtualization-based security. In ideal conditions, VBS can be started on any computer that supports:
- Intel, AMD or ARM virtualization extensions
- Second-level address translation: NPT for AMD, EPT for Intel, Stage 2 address translation for ARM
- Optionally, hardware MBEC, which reduces the performance cost associated with HVCI
On Secured-core PCs, virtualization-based security is supported and hardware-backed security features are enabled by default. Customers can find Secured-core PCs from a variety of partner vendors that feature the comprehensive Secured-core security features that are now enhanced by KDP.