Microsoft has come up with a new Kernel security mechanism to prevent data corruption attacks. Attackers continue to shift their focus towards data corruption practices in large numbers, according to Microsoft. Widespread memory corruption prevention technologies such as Integrity (CI) and Control Flow Guard (CFG) prevent attackers from causing trouble to the system memory.
Microsoft launches Kernel Data Protection
As a result, attackers these days rely on data corruption practices that target system security policy, modify ‘initialize once’ data structures, among other things in large numbers.
To prevent such attacks, Microsoft has announced the launch of new technology. Stands of Kernel Data Protection, KDP uses virtualization-based security (VBS) to safeguard part of the Windows Kernel and drivers against data corruption attacks, courtesy of hardware virtualization features.
The primary goal of Virtualization-based security (VBS) is achieved by creating and isolating a secure region of memory from the Windows 10 operating system.
What is Kernel Data Protection (KDP)
Although we briefly touched upon its purpose, what is Kernel Data Protection as far as the big picture is concerned, you may ask? In a nutshell, KDP helps prevent data corruption attacks. It comprises a series of APIs to mark some kernel memory as read-only.
Kernel Data Protection APIs marking a part of kernel memory as read-only essentially prevent attackers from modifying protected memory. Microsoft wrote:
“We’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver. KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.”
According to Microsoft, Windows kernel, inbox components, security products, and third-party DRM drivers will benefit from the concept of protecting kernel memory as read-only. This way, Microsoft is looking to ensure Windows kernel performance and reliability improvements. It will also incentivize compatibility improvements using VBS and more.
Technologies employed by KDP are compatible with Secured-core PCs implementing a set of device requirements to safeguard the Windows operating system against Kernel-level data corruption attacks.
The KDP implementation of Windows 10 is divided into two parts: Static KDP and Dynamic KDP. Both dynamic and static KDP are already available in the latest Windows 10 Insider Build. Notably, they apply to any kind of memory except for executable pages.
Microsoft has already put up a detailed blog post explaining the implementation of the Kernel Data Protection (KDP) mechanism on the Windows 10 operating system.