Microsoft KDP Anti Malware engine under testing

Microsoft is testing a new Windows 10 security feature dubbed Kernel Data Protection (KDP) and designed to block malicious actors from corrupting drivers and software running in the Windows kernel.

Besides adding memory and security protection to Windows 10 devices, KDP also comes with several added benefits, including:

• Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected

• Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities

• Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem

Virtualization-based security used to secure kernel memory

KDP is actually a collection of APIs that make it possible to label parts of the Window kernel memory as read-only to block attackers and malware from modifying protected memory through virtualization-based security (VBS).

VBS makes use of hardware virtualization features to isolate a secure region of memory (virtual secure mode) from the normal Windows operating system.

KDP ‘s capability to mark kernel memory as read-only can also be used by both Windows kernel developers and developers of third-party solutions such as security products, anti-cheat, and digital rights management (DRM) software.

“VBS uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials,”.

Windows can use this ‘virtual secure mode’ to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

KDP is used in the Windows Defender System Guard runtime attestation engine and in the code integrity engine in Windows, two critical features of Secured-core PCs (1, 2) that come with inbuilt protection against firmware attacks.

Secured-core PCs support

Virtualization-based security out of the box and they also come with hardware-backed security features toggled on by default.

Microsoft says that KDP is already available for testing in the latest Windows 10 Insider Build and that it can be used to secure any kind of memory, except executable pages which are already protected by hypervisor-protected code integrity (HVCI).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s