Microsoft Brings Kernel Data Protection to Windows 10
- Paul Thurrott
- Jul 09, 2020
-
11
A new Microsoft blog post explains how the firm is now using virtualization-based security (VBS) to prevent data corruption attacks in Windows 10.
“Attackers, confronted by security technologies that prevent memory corruption, like Code Integrity (CI) and Control Flow Guard (CFG), are expectedly shifting their techniques towards data corruption,” Microsoft’s Base Kernel Team explains. “Attackers use data corruption techniques to target system security policy, escalate privileges, tamper with security attestation, modify ‘initialize once’ data structures, among others.”
Windows Intelligence In Your Inbox
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
To help prevent this kind of attack, Microsoft has added Kernel Data Protection (KDP) to Windows 10. Described as “a new technology that prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS),” KDP is a set of APIs that provide the ability to mark some kernel memory as read-only, preventing attackers from ever modifying its contents.
“For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver,” the firm says. “KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.”
KDP also provides performance and reliability improvements, and Microsoft says that it gives driver developers and vendors an incentive to improve compatibility with virtualization-based security, which should drive adoption of these technologies.
If you’re interested in this work, check out the original post: It’s a really detailed dive into the changes Microsoft has made to security in Windows 10.