Microsoft released the first technical details yesterday about a new security feature that will soon be part of Windows 10: the Kernel Data Protection (KDP). This new technology has the mission of protect certain vulnerable parts of the kernel (the system core) of Windows in order to avoid its modification by malware.
Such modification is usually carried out through data corruption attacks, which cyber criminals use to “attack the system’s security policy, escalate privileges, alter security certification, etc.” KDP manages to avoid this kind of attacks attacks by configuring parts of the kernel as ‘read only’.
KDP also provides developers with access to programmatic APIs that they can use to establish which parts of the Windows kernel need to be protected at any given time. As the development team explains:
“We have seen attackers use signed but vulnerable drivers to violate policy data structures and install a malicious and unsigned driver.
KDP mitigates these attacks by ensuring that policy data structures cannot be manipulated. “
Microsoft highlights that, while cybersecurity is the primary application of using KDP, it also offers other benefits: Performance improvements, and use by anti-cheat and digital rights management (DRM) applications.
Currently, KDP is already included in the latest build of Windows 10 Insider (the trial version available only to certain users), but Microsoft You have not yet established the deadlines for this technology to land in the stable version of Windows 10.
The role of VBS
This Microsoft technology it is based on another one that works below it: VBS, which does not mean ‘Visual Basic Script’, but is the acronym for ‘security based on virtualization’; it is what allows to isolate a memory region from the operating system and move it within a ‘virtual safe mode’ that prevents its manipulation, even by Windows itself.
VBS compatibility is the only requirement for a team to be able to use the new Kernel Data Protection. This compatibility is given by the presence of Intel, AMD or ARM virtualization extensions, or by their respective second-level translation systems: NPT for AMD, EPT for Intel, etc.
Track | ZDnet
Image | US Air Force photo by Steve Kotecki
Share Microsoft launches KDP, the technology that will block parts of the Windows 10 kernel to prevent an attack from modifying it