A new Microsoft blog post explains how the firm is now using virtualization-based security (VBS) to prevent data corruption attacks in Windows 10.
“Attackers, confronted by security technologies that prevent memory corruption, like Code Integrity (CI) and Control Flow Guard (CFG), are expectedly shifting their techniques towards data corruption,” Microsoft’s Base Kernel Team explains. “Attackers use data corruption techniques to target system security policy, escalate privileges, tamper with security attestation, modify ‘initialize once’ data structures, among others.”
To help prevent this kind of attack, Microsoft has added Kernel Data Protection (KDP) to Windows 10. Described as “a new technology that prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS),” KDP is a set of APIs that provide the ability to mark some kernel memory as read-only, preventing attackers from ever modifying its contents.
“For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver,” the firm says. “KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.”
KDP also provides performance and reliability improvements, and Microsoft says that it gives driver developers and vendors an incentive to improve compatibility with virtualization-based security, which should drive adoption of these technologies.
If you’re interested in this work, check out the original post: It’s a really detailed dive into the changes Microsoft has made to security in Windows 10.
Tagged with Security