In the constant battle with hackers, Microsoft has just played another card, by introducing a new Kernel Data Protection technology which will make it harder for attackers to use data corruption techniques to bypass security and escalate privileges.
Kernel Data Protection (KDP) makes sections of kernel memory read-only and prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS).
The technology would mitigate a new form of attack seen recently where hackers exploit signed but vulnerable drivers to install malicious, unsigned drivers which then tamper with memory. With read-only protection even signed drivers would not be able to change important memory structures and settings.
Microsoft said the technology was needed to head off attackers, as hackers are increasingly frustrated by Code Integrity (CI) and Control Flow Guard (CFG) security technologies and look for other exploit routes.
Microsoft says the technology has other benefits also including:
- Performance improvements — KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
- Reliability improvements — KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities
- Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
Not all Windows systems will be able to implement KDP, as the platform needs to support virtualization-based security (VBS). The technology is already available in the latest Insider builds of Windows 10.
Read all the detail at Microsoft here.