PointWire

Microsoft reveals KERNEL DATA PROTECTION (KDP). This new technology prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualisation-based security.

What is Kernel Data Protection?

Windows 10 KDP is a set of API’s that allow certain parts of kernel data to be marked as ‘read only’ which prevents hackers from ever meddling with the protected memory. This signals a significant step in Windows Security and has uses along a wide range of applications such as the Windows kernel, inbox components, and security products, but also anti-cheat and DRM software in computer games.

Microsoft also quote improvements in:

  • Performance – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected.
  • Reliability – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities.
  • Virtualisation compatibility – Providing an incentive for driver developers and vendors to improve compatibility with virtualisation-based security, improving adoption of these technologies in the ecosystem.

A Necessary Change?

Microsoft’s move towards this sort of protection is a reaction to the attacker’s shift in using data corruption attacks in order to access systems. As the attackers move the goal posts, Microsoft has had to move with them and have been forced to innovate in order to protect its users. And innovate they have!

Virtualisation Innovation:

What makes this piece of security innovation possible is the use of virtualisation. The hardware’s virtualisation features are used to create and isolate a secure region of memory from the operating system. This offers up massive protection from vulnerabilities within the operating system because the attackers simply can’t get at it. Windows 10 Secure-Core PC’s have these capabilities as standard but if your PC supports third party virtualisation extensions then the same protection will be offered to you.

Although the greatest thing about this is that the virtualisation features being used to offer this protection already exist in many modern CPUs and so native support can often be found on your existing hardware. The particular extensions Microsoft need to so this clever stuff are often found in the BIOS settings for your machines, but specifically are:

  • Virtualisation Extensions (from Intel, AMD or ARM)
  • Second-level Address Translation (SLAT):
    • EPT on Intel chips;
    • NPD for AMD chips;
    • Stage 2 address translation for ARM chips.

These sorts of improvements are very welcome from Microsoft who have often been caught out when it comes to their security capabilities; typically because of their success in the End User Compute (EUC) space for both home and enterprise computers. A proactive address of memory corruption attacks is going to be really exciting for all of us in the security space, but isn’t the first time they’ve used virtualisation to solve malware abusing memory access.

Credential Guard leveraged virtualisation to isolate the Local Security Authority Subsystem Service (LSASS) from memory access as Windows has historically stored both the encrypted credentials, but also the key to that encryption in memory. If credential Guard and Windows 10 KDP are anything to go by, we’re excited to see what more innovations operating system kernel teams will come up with next to prevent memory attacks.

The full document in relation to Kernel Data Protection can be found here.

Check out our Newsroom for other articles about innovative security and products.