Microsoft KDP Anti Malware engine under testing
Microsoft is testing a new Windows 10 security feature dubbed Kernel Data Protection (KDP) and designed to block malicious actors from corrupting drivers and software running in the Windows kernel.
Besides adding memory and security protection to Windows 10 devices, KDP also comes with several added benefits, including:
• Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
• Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities
• Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
Virtualization-based security used to secure kernel memory
KDP is actually a collection of APIs that make it possible to label parts of the Window kernel memory as read-only to block attackers and malware from modifying protected memory through virtualization-based security (VBS).
VBS makes use of hardware virtualization features to isolate a secure region of memory (virtual secure mode) from the normal Windows operating system.
KDP ‘s capability to mark kernel memory as read-only can also be used by both Windows kernel developers and developers of third-party solutions such as security products, anti-cheat, and digital rights management (DRM) software.
“VBS uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials,”.
Windows can use this ‘virtual secure mode’ to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.
KDP is used in the Windows Defender System Guard runtime attestation engine and in the code integrity engine in Windows, two critical features of Secured-core PCs (1, 2) that come with inbuilt protection against firmware attacks.
Secured-core PCs support
Virtualization-based security out of the box and they also come with hardware-backed security features toggled on by default.
Microsoft says that KDP is already available for testing in the latest Windows 10 Insider Build and that it can be used to secure any kind of memory, except executable pages which are already protected by hypervisor-protected code integrity (HVCI).