April 26, 2024

Microsoft is testing a new Windows 10 security feature dubbed Kernel Data Protection (KDP) and designed to block malicious actors from corrupting drivers and software running in the Windows kernel.

Besides adding memory and security protection to Windows 10 devices, KDP also comes with several added benefits, including:

• Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected

• Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities

• Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem

Virtualization-based security used to secure kernel memory

KDP is actually a collection of APIs that make it possible to label parts of the Window kernel memory as read-only to block attackers and malware from modifying protected memory through virtualization-based security (VBS).

VBS makes use of hardware virtualization features to isolate a secure region of memory (virtual secure mode) from the normal Windows operating system.

KDP ‘s capability to mark kernel memory as read-only can also be used by both Windows kernel developers and developers of third-party solutions such as security products, anti-cheat, and digital rights management (DRM) software.

“VBS uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials,”.

Windows can use this ‘virtual secure mode’ to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

KDP is used in the Windows Defender System Guard runtime attestation engine and in the code integrity engine in Windows, two critical features of Secured-core PCs (1, 2) that come with inbuilt protection against firmware attacks.

Secured-core PCs support

Virtualization-based security out of the box and they also come with hardware-backed security features toggled on by default.

Microsoft says that KDP is already available for testing in the latest Windows 10 Insider Build and that it can be used to secure any kind of memory, except executable pages which are already protected by hypervisor-protected code integrity (HVCI).

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

GitLab April 2024 Security Advisory – CVE-2024-2434

April 26, 2024

CISA KEV Update April 2024 – Part II

April 25, 2024

ArcaneDoor Exploits Cisco ASA and FTD

April 25, 2024

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading