Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Microsoft Adds New Data Corruption Preventions to Windows

Microsoft this week announced Kernel Data Protection (KDP), new technology that aims to protect the Windows kernel and drivers from data corruption attacks.

Microsoft this week announced Kernel Data Protection (KDP), new technology that aims to protect the Windows kernel and drivers from data corruption attacks.

Such attacks can result in modifications to system security policies, privilege escalation, and security attestation tampering, among others, and Microsoft’s KDP aims to prevent them through virtualization-based security (VBS).

KDP includes a set of APIs through which some kernel memory is marked as read-only and cannot be modified. By preventing the tampering with policy data structures, for example, KDP can mitigate attacks where malicious, unsigned drivers are installed on the system.

Making kernel memory read-only can be used to mitigate attacks on Windows kernel, security products, inbox components, and third-party drivers, and can also result in improved performance and reliability, while driving adoption to virtualization-based security.

KDP builds upon the technology included by default in Secured-core PCs and adds another layer of protection for configuration data.

In Windows 10, KDP is implemented in two parts, namely static KDP, where software running in kernel mode can protect a section of its own image, and dynamic KDP, where kernel-mode software can “allocate and release read-only memory from a ‘secure pool’,” Microsoft says.

Already included in the latest Windows 10 Insider Build, the KDP (both dynamic and static) does not work with executable pages, since protection to those is provided by hypervisor-protected code integrity (HVCI).

“Both static KDP and dynamic KDP rely on the physical memory being protected by the SLAT [second-level address translation] in the hypervisor. When a processor supports the SLAT, it uses another layer for memory address translation,” the tech company explains.

Advertisement. Scroll to continue reading.

Microsoft also reveals that the technology has been implemented into Windows Defender System Guard, where it ensures that there is a single active connection between the attestation broker and the attestation driver, and into Cl.dll, the code integrity engine in Windows, to protect internal policy state after initialization.

“These are just a few examples of how useful protecting kernel and driver memory as read-only can be for the security and integrity of the system. As KDP is adopted more broadly, we expect to be able to expand the scope of protection as we look to protect against data corruption attacks more broadly,” Microsoft notes.

Related: Microsoft Defender ATP Gets UEFI Scanner

Related: Microsoft Releases Integrated Threat Protection in Public Preview

Related: Researcher Finds Novel Bug Class in Windows Kernel

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...