Microsoft Adds New Data Corruption Preventions to Windows

Microsoft this week announced Kernel Data Protection (KDP), new technology that aims to protect the Windows kernel and drivers from data corruption attacks.


Such attacks can result in modifications to system security policies, privilege escalation, and security attestation tampering, among others, and Microsoft’s KDP aims to prevent them through virtualization-based security (VBS).


KDP includes a set of APIs through which some kernel memory is marked as read-only and cannot be modified. By preventing the tampering with policy data structures, for example, KDP can mitigate attacks where malicious, unsigned drivers are installed on the system.


Making kernel memory read-only can be used to mitigate attacks on Windows kernel, security products, inbox components, and third-party drivers, and can also result in improved performance and reliability, while driving adoption to virtualization-based security.


KDP builds upon the technology included by default in Secured-core PCs and adds another layer of protection for configuration data.


In Windows 10, KDP is implemented in two parts, namely static KDP, where software running in kernel mode can protect a section of its own image, and dynamic KDP, where kernel-mode software can “allocate and release read-only memory from a ‘secure pool’,” Microsoft says.


Already included in the latest Windows 10 Insider Build, the KDP (both dynamic and static) does not work with executable pages, since protection to those is provided by hypervisor-protected code integrity (HVCI).


“Both static KDP and dynamic KDP rely on the physical memory being protected by the SLAT [second-level address translation] in the hypervisor. When a processor supports the SLAT, it uses another layer for memory address translation,” the tech company explains.


..

Support the originator by clicking the read the rest link below.